Invalid `\uXXXX` not detected

[DemiMarie]

The following program runs successfully:

#ifdef NDEBUG
# error compile with assertions for this test
#endif
#include <cjson/cJSON.h>
#include <assert.h>
#include <string.h>
int main(void) {
	cJSON *s = cJSON_Parse(u8"[\"\\uX000α\"]"), *a = NULL;
	assert(cJSON_IsArray(s));
	cJSON_ArrayForEach(a, s) {
		assert(cJSON_IsString(a));
		assert(a->valuestring);
		assert(a->valuestring[0] == '\0');
		assert(!memcmp(a->valuestring, u8"\0α", sizeof u8"\0α"));
		assert(found == 0);
		found = 1
	}
	assert(found);
}

cJSON_Parse should return NULL since \uX000 isn’t a valid escape sequence. Instead, it is treated as \u0000. I would also expect \u0000 to be rejected, since cJSON cannot represent it properly. However, if cJSON was changed to use counted-length strings, then I would be fine with \u0000 being accepted with a non-default option. Silently allowing NUL characters is a bad idea, since it can easily cause security vulnerabilities in programs that are not expected them. \uX000 should, of course, be rejected in all modes.