--- CBOR-XS/XS.xs	2013/11/30 18:13:53	1.37
+++ CBOR-XS/XS.xs	2013/12/01 14:30:52	1.38
@@ -101,6 +101,7 @@
 #define F_ALLOW_SHARING   0x00000004UL
 #define F_ALLOW_CYCLES    0x00000008UL
 #define F_PACK_STRINGS    0x00000010UL
+#define F_VALIDATE_UTF8   0x00000020UL
 
 #define INIT_SIZE   32 // initial scalar size to be allocated
 
@@ -738,9 +739,6 @@
 
         dec->cur += len;
 
-        if (ecb_expect_false (dec->stringref))
-          av_push (dec->stringref, newSVpvn (key, len));
-
         hv_store (hv, key,  len, decode_sv (dec), 0);
 
         return;
@@ -752,8 +750,9 @@
 
         dec->cur += len;
 
-        if (ecb_expect_false (dec->stringref))
-          av_push (dec->stringref, newSVpvn_utf8 (key, len, 1));
+        if (ecb_expect_false (dec->cbor.flags & F_VALIDATE_UTF8))
+          if (!is_utf8_string (key, len))
+            ERR ("corrupted CBOR data (invalid UTF-8 in map key)");
 
         hv_store (hv, key, -len, decode_sv (dec), 0);
 
@@ -765,6 +764,9 @@
 
   hv_store_ent (hv, k, v, 0);
   SvREFCNT_dec (k);
+
+fail:
+  ;
 }
 
 static SV *
@@ -856,7 +858,13 @@
     }
 
   if (utf8)
-    SvUTF8_on (sv);
+    {
+      if (ecb_expect_false (dec->cbor.flags & F_VALIDATE_UTF8))
+        if (!is_utf8_string (SvPVX (sv), SvCUR (sv)))
+          ERR ("corrupted CBOR data (invalid UTF-8 in text string)");
+
+      SvUTF8_on (sv);
+    }
 
   return sv;
 
@@ -1225,6 +1233,7 @@
         allow_sharing   = F_ALLOW_SHARING
         allow_cycles    = F_ALLOW_CYCLES
         pack_strings    = F_PACK_STRINGS
+        validate_utf8   = F_VALIDATE_UTF8
 	PPCODE:
 {
         if (enable)
@@ -1242,6 +1251,7 @@
         get_allow_sharing   = F_ALLOW_SHARING
         get_allow_cycles    = F_ALLOW_CYCLES
         get_pack_strings    = F_PACK_STRINGS
+        get_validate_utf8   = F_VALIDATE_UTF8
 	PPCODE:
         XPUSHs (boolSV (self->flags & ix));