It may be fixes bug but causes sending invalid timezone to server.
We could fix it with https://pkg.go.dev/time#LoadLocation but it might have horrible performance. :-(

We should not accept invalid timezone and inform application owner about malicious attempt.
the most simple way is to compare length of escaped and unescapted TZ and return error say that TZ contains invalid string and print escaped string.

Good catch. Not only time.LoadLocation is slow, there also a chance, the timezone location we look up for may not present in the local node that is running (that not necessarily meaning it's invalid).

I think comparing the length approach is decent one. But I'm bit worried it's not full fool proof. Technically there is no limit on the timezone string.

Let me think about it.

@kavirajk the idea is not to limit string but check if we escaped something.
if UTC or ANY_LONG_TIMEZONE/ON_SOME_FAR_FAR_PLANET is in - then we have nothing to escape and
len(original) == len(escaped).

The main thing here is to catch invalid thing on client side. Most cases it should be fine - but weird names will be blocked and users will create issue if they believe it is a valid timezone.

Make sense. I added the length check and updated the tests accordingly. @chernser