json: escape < and > in any JSON string.

Angle brackets can trigger some browser sniffers, causing
some forms of JSON output to be interpreted as HTML.
Escaping angle brackets closes that security hole.

R=rsc
CC=golang-dev
https://golang.org/cl/4701047

src/pkg/json/decode_test.go

@@ -208,6 +208,18 @@ func TestUnmarshalPtrPtr(t *testing.T) {
 	}
 }
 
+func TestEscape(t *testing.T) {
+	const input = `"foobar"<html>`
+	const expected = `"\"foobar\"\u003chtml\u003e"`
+	b, err := Marshal(input)
+	if err != nil {
+		t.Fatalf("Marshal error: %v", err)
+	}
+	if s := string(b); s != expected {
+		t.Errorf("Encoding of [%s] was [%s], want [%s]", input, s, expected)
+	}
+}
+
 func TestHTMLEscape(t *testing.T) {
 	b, err := MarshalForHTML("foobarbaz<>&quux")
 	if err != nil {