Input mapping is buggy

[gibson042]

This package commits the cardinal sin of escaping: failing to fully exempt non-escaped input from unescaping (e.g., escapeKey escapes each . as \. but fails to escape \ itself). As a result, there are some injection bugs: https://jsfiddle.net/euqLwk4r/

input

({
  a: [ "/'a'[0]: string that becomes a regex/" ],
  'a.0': /'a.0': regex that becomes a string/,
  'b.0': "/'b.0': string that becomes a regex/",
  'b\\': [ /'b\\'[0]: regex that becomes a string/ ],
})

encodes to

{
  "json": {
    "a": [ "/'a'[0]: string that becomes a regex/" ],
    "a.0": "/'a.0': regex that becomes a string/",
    "b.0": "/'b.0': string that becomes a regex/",
    "b\\": [ "/'b\\\\'[0]: regex that becomes a string/" ]
  },
  "meta": {
    "values": {
      "a.0": [ "regexp" ],
      "b\\.0": [ "regexp" ]
    }
  }
}

which decodes as the input-dissimilar

({
  a: [ /'a'[0]: string that becomes a regex/ ],
  'a.0': "/'a.0': regex that becomes a string/",
  'b.0': /'b.0': string that becomes a regex/,
  'b\\': [ "/'b\\\\'[0]: regex that becomes a string/" ],
})

[Skn0tt]

Thanks for the report, this makes sense to me. You're the first in quite a long time to report this, so at least it's not a giant impact. Do you see a way for us to fix this without breaking changes?