Part of #21: MEDIUM: No input validation before API calls
Scope
Ensure user-provided text is properly sanitized/escaped before being embedded in JSON request bodies sent to AI APIs.
What to do
- Audit how user messages are embedded into JSON request bodies in each AI client
- Ensure proper JSON string escaping (control characters, quotes, backslashes, Unicode)
- Use a JSON library (e.g., Jackson, Gson, org.json) for request construction rather than string concatenation
- Handle encoding edge cases (invalid UTF-8 sequences, BOM characters)
Acceptance criteria
- User messages with special characters (quotes, backslashes, newlines, Unicode) are correctly escaped
- No malformed JSON is sent to any API
- JSON construction uses a library, not string concatenation
- Unit tests cover edge cases (emoji, multi-byte characters, control chars)
Part of #21: MEDIUM: No input validation before API calls
Scope
Ensure user-provided text is properly sanitized/escaped before being embedded in JSON request bodies sent to AI APIs.
What to do
Acceptance criteria