Missing JSON sanitization in tokenURI enables metadata injection attacks

The tokenURI function constructs JSON metadata by directly concatenating user-controlled strings without proper sanitization, enabling JSON injection attacks. This vulnerability allows vault owners to inject malicious JSON syntax through the vaultId and imageURL parameters when calling setSubscription(), potentially manipulating the metadata structure and content displayed for their NFTs.

The vulnerable code directly embeds unsanitized user input into JSON strings:

string memory json = string.concat(
    "{",
        "\"name\":\"", data.resourceId, "\",",            // Unsanitized user input
        "\"description\":\"This NFT grants access to a knowledge vault.\",",
        "\"external_url\":\"[https://knowledge-market.io/vaults/](https://knowledge-market.io/vaults/)",
        data.resourceId, "\",",                           // Unsanitized user input
        "\"image\":\"", imageUrl, "\",",                  // Unsanitized user input
        // ... rest of JSON construction
    "}"
);

Vulnerable Scenario:

The following steps help reproduce the issue:

1. A vault owner calls setSubscription() with malicious JSON characters in the vaultId parameter: 'MyVault", "description": "HACKED!", "image": "ipfs://malicious.jpg", "name": "FakeNFT'
2. The system stores this malicious string without validation or sanitization.
3. When tokenURI() is called for an NFT from this vault, it constructs JSON by directly concatenating the malicious string.
4. The resulting JSON contains injected fields that can override intended metadata values: {"name": "MyVault", "description": "HACKED!", "image": "ipfs://malicious.jpg", "name": "FakeNFT", "description": "This NFT grants access to a knowledge vault.", ...}
5. JSON parsers typically use the last occurrence of duplicate keys, causing the injected values to override the legitimate ones.
6. Frontend applications and NFT marketplaces display the manipulated metadata to users.

Vault owners can manipulate the metadata display of their own NFTs through JSON injection, potentially deceiving buyers and causing integration issues. While the attack scope is limited to self-owned NFTs, it creates risks for marketplace integrity, user trust, and frontend security. The vulnerability can lead to display of misleading content, impersonation of valuable NFTs, and potential code execution if frontend applications use insecure JSON parsing methods like eval().

Implement the OWASP JSON Sanitizer library which is specifically designed to handle JSON injection vulnerabilities. This library converts JSON-like content to valid, secure JSON and is widely used in production systems.

Ipal Network: Confirmed. Input sanitization has been added to the metadata construction process, preventing malicious data from being injected into the token URI.

Zealynx: Fixed. JSON sanitization properly implemented with escape function for all user-controlled strings, plus Base64 encoding for additional security.