encoding/json: mention escaping of '&'

Fixes #7034. LGTM=iant R=golang-codereviews, iant CC=golang-codereviews https://golang.org/cl/57140043

encoding/json: mention escaping of '&'
Fixes #7034. LGTM=iant R=golang-codereviews, iant CC=golang-codereviews https://golang.org/cl/57140043
8a2dd16c · Shenghou Ma · 57bc80b5 · 8a2dd16c
Commit 8a2dd16c authored Feb 05, 2014 by Shenghou Ma
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 1 deletion

encode.go src/pkg/encoding/json/encode.go +2 -1

No files found.
--- a/src/pkg/encoding/json/encode.go
+++ b/src/pkg/encoding/json/encode.go
@@ -44,6 +44,7 @@ import (
 // if an invalid UTF-8 sequence is encountered.
 // The angle brackets "<" and ">" are escaped to "\u003c" and "\u003e"
 // to keep some browsers from misinterpreting JSON output as HTML.
+// Ampersand "&" is also escaped to "\u0026" for the same reason.
 //
 // Array and slice values encode as JSON arrays, except that
 // []byte encodes as a base64-encoded string, and a nil slice
@@ -804,7 +805,7 @@ func (e *encodeState) string(s string) (int, error) {
 				e.WriteByte('r')
 			default:
 				// This encodes bytes < 0x20 except for \n and \r,
-				// as well as < and >. The latter are escaped because they
+				// as well as <, > and &. The latter are escaped because they
 				// can lead to security holes when user-controlled strings
 				// are rendered into JSON and served to some browsers.
 				e.WriteString(`\u00`)