Java: detect control characters which are not correct for JSON

Question

I am reinventing the wheel and creating my own JSON parse methods in Java.

I am going by the (very nice!) documentation on json.org. The only part I am unsure about is where it says "or control character"

Since the documentation is so clear, and JSON is so simple and easy to implement, I thought I would go ahead and require the spec instead of being loose.

How would I correctly strip out control characters in Java? Perhaps there is a unicode range?

---

Edit: A (commonly?) missing peice to the puzzle

I have been informed that there are other control characters outside of the defined range ^{1 2} that can be troublesome in <script> tags.

Most notably the characters U+2028 and U+2029, Line and Paragraph Separator, which act as newlines. Injecting a newline into the middle of a string literal will most likely cause a syntax error (unterminated string literal). ³

Though I believe this does not pose an XSS threat, it is still a good idea to add extra rules for the use in <script> tags.

• Just be simple and encode all non-"ASCII printable" characters with \u notation. Those characters are uncommon to begin with. If you like, you could add to the white-list, but I do recommend a white-list approach.
• In case you are not aware, do not forget about </script (not case sensitive), which could cause HTML script injection to your page with the characters </script><script src=http://tinyurl.com/abcdef>. None of those characters are by default encoded in JSON.

Answer 1

Will Character.isISOControl(...) do? Incidentally, UTF-16 is an encoding of Unicode codepoints... Are you going to be operating at the byte level, or at the character/codepoint level? I recommend leaving the mapping from UTF-16 to character streams to Java's core APIs...