It seems that the RFC8259 and ECMA-404 definitions of JSON are unclear on the escaping of solidus, aka forward slash.
RFC8259 states:
Any character may be escaped.
All Unicode characters may be placed within the quotation marks, except for the characters that MUST be escaped: quotation mark, reverse solidus, and the control characters (U+0000 through U+001F).
char = unescaped /
escape (
%x22 / ; " quotation mark U+0022
%x5C / ; \ reverse solidus U+005C
%x2F / ; / solidus U+002F
%x62 / ; b backspace U+0008
%x66 / ; f form feed U+000C
%x6E / ; n line feed U+000A
%x72 / ; r carriage return U+000D
%x74 / ; t tab U+0009
%x75 4HEXDIG ) ; uXXXX U+XXXX
escape = %x5C ; \
quotation-mark = %x22 ; "
unescaped = %x20-21 / %x23-5B / %x5D-10FFFF
Here solidus is the only character which is mentioned in the "escape" block, which also falls in the "unescaped" range.
Why is it mentioned so explicitly here? Should it be escaped, or should it not?
1 Answer 1
Section 7 of RFC8259 concerns strings:
All Unicode characters may be placed within the quotation marks, except for the characters that MUST be escaped: quotation mark, reverse solidus, and the control characters (U+0000 through U+001F).
Since the forward slash (solidus) is not listed in the characters that MUST be escaped ("MUST" meaning "mandatory"), then the forward slash does not need to be escaped.
The next paragraph begins "Any character may be escaped." Here the significant word is "may" which means you are allowed to escape the character, but it is not mandatory. It is perfectly valid JSON to have / or %x2F in a JSON string literal.
The table showing the escaped and non-escaped versions of characters might have caused confusion. The conversion table does not imply you must escape those characters. Instead, the conversion table exists to describe the escaped values as part of the specification. It does not make such conversions mandatory. It is purely informational.
<script>tags.