client/json: escape object keys

Object keys were emitted via `fprintf("\"%s\": ", ...)` without
escaping. `json_element_cleanup()` can promote a child element's name
string into the parent's key, so a neighbor-controlled string containing
a quote or backslash could inject into a key.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

diff --git a/src/client/json_writer.c b/src/client/json_writer.c
index 38395536a098aa1ce5742a8077c3d89030dff3a1..0c08bdc20f550191385c15d77e366d4a01af42c5 100644 (file)
--- a/src/client/json_writer.c
+++ b/src/client/json_writer.c
@@ -171,7 +171,10 @@ json_element_dump(FILE *fh, struct element *current, int indent)
                fprintf(fh, "%c\n%*s", pairs[(current->tag == ARRAY)][0], indent + 2,
                    "");
                TAILQ_FOREACH (el, &current->children, next) {
-                       if (current->tag == OBJECT) fprintf(fh, "\"%s\": ", el->key);
+                       if (current->tag == OBJECT) {
+                               json_string_dump(fh, el->key);
+                               fprintf(fh, ": ");
+                       }
                        json_element_dump(fh, el, indent + 2);
                        if (TAILQ_NEXT(el, next)) fprintf(fh, ",\n%*s", indent + 2, "");
                }