Before this change, HTML and some JS code (as far as it was not escaped
by json_encode) could be injected into the output as the closing pattern
that is checked by the regex is not escaped in JSON (see test case).