middleware/DefaultLoggerConfig looks like JSON, but doesn't escape

[Drahflow]

https://github.com/labstack/echo/blob/612967a9fec11b112a16c7b62efc2344eae308e8/middleware/logger.go#L205,L208 defines a JSON-like log format, suggesting logs will be formatted as JSON when it is used.

However, no escaping takes place.

Running the Example from README.md and then

% echo -ne 'GET /?","method":":D","remote_ip":"123.456.789.101112","_":" HTTP/1.0\r\n\r\n' | netcat 127.0.0.1 8080

results in this log:

{"time":"2025-12-09T17:55:44.83979515+01:00","id":"","remote_ip":"127.0.0.1","host":"","method":"GET","uri":"/?","method":":D","remote_ip":"123.456.789.101112","_":"","user_agent":"","status":200,"error":"","latency":8089,"latency_human":"8.089µs","bytes_in":0,"bytes_out":13}

Parsing that as JSON (e.g. with jq) gives

{
  "time": "2025-12-09T17:55:44.83979515+01:00",
  "id": "",
  "remote_ip": "123.456.789.101112",
  "host": "",
  "method": ":D",
  "uri": "/?",
  "_": "",
  "user_agent": "",
  "status": 200,
  "error": "",
  "latency": 8089,
  "latency_human": "8.089µs",
  "bytes_in": 0,
  "bytes_out": 13
}

I.e. the attacker is free to overwrite fields or (at their discretion) break JSON parsing completely.

[aldas]

note to self:

• do some naive " escaping (although user does not necessarily use JSON format for their middleware.LoggerConfig.Format and we may break their expectations after this change - but should be very small number of users). JSON string encoder logic can be seen here
• we probably should mark this middleware deprecated. Point users to RequestLogger
• replace middleware.Logger() to use RequestLogger middleware with similar configuration that uses json.Marshal

[Drahflow]

You'll also want to escape \ (as in "key": "value\").

[aldas]

I'll pretty much copy standard library json appendString function.

[aldas]

@Drahflow Thank for pointing this out. Fix for this is included in the new minor version release v4.14.0.