fix: escape unsafe key chars (#8)

src/index.ts

@@ -1,5 +1,6 @@
 const consola = require('consola')
 const chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_$';
+const unsafeChars = /[<>\b\f\n\r\t\0\u2028\u2029]/g;
 const reserved = /^(?:do|if|in|for|int|let|new|try|var|byte|case|char|else|enum|goto|long|this|void|with|await|break|catch|class|const|final|float|short|super|throw|while|yield|delete|double|export|import|native|return|switch|throws|typeof|boolean|default|extends|finally|package|private|abstract|continue|debugger|function|volatile|interface|protected|transient|implements|instanceof|synchronized)$/;
 const escaped: Record<string, string> = {
 	'<': '\\u003C',
@@ -246,12 +247,20 @@ function getType(thing: any) {
 	return Object.prototype.toString.call(thing).slice(8, -1);
 }
 
+function escapeUnsafeChar(c: string) {
+	return escaped[c] || c
+}
+
+function escapeUnsafeChars(str: string) {
+	return str.replace(unsafeChars, escapeUnsafeChar)
+}
+
 function safeKey(key: string) {
-	return /^[_$a-zA-Z][_$a-zA-Z0-9]*$/.test(key) ? key : JSON.stringify(key);
+	return /^[_$a-zA-Z][_$a-zA-Z0-9]*$/.test(key) ? key : escapeUnsafeChars(JSON.stringify((key)));
 }
 
 function safeProp(key: string) {
-	return /^[_$a-zA-Z][_$a-zA-Z0-9]*$/.test(key) ? `.${key}` : `[${JSON.stringify(key)}]`;
+	return /^[_$a-zA-Z][_$a-zA-Z0-9]*$/.test(key) ? `.${key}` : `[${escapeUnsafeChars(JSON.stringify(key))}]`;
 }
 
 function stringifyString(str: string) {

test/test.ts

@@ -118,7 +118,11 @@ describe('devalue', () => {
 			new toJSONTest(`"</script><script src='https://evil.com/script.js'>alert('pwned')</script><script>"`),
 			`"\\u003C\\u002Fscript\\u003E\\u003Cscript src='https:\\u002F\\u002Fevil.com\\u002Fscript.js'\\u003Ealert('pwned')\\u003C\\u002Fscript\\u003E\\u003Cscript\\u003E"`
 		);
-
+		test(
+			'Dangerous key',
+			{ '<svg onload=alert("xss_works")>': 'bar' },
+			'{"\\u003Csvg onload=alert(\\"xss_works\\")\\u003E":"bar"}'
+		)
 	});
 
 	describe('misc', () => {