Merge pull request #2 from rudy-on-rails/rudy-on-rails/sanitize-string-inputs

Sanitize double quoting strings inside of strings

Author: rudy-on-rails

core/src/main/kotlin/me/lazmaid/kraph/lang/GraphQLNode.kt

@@ -27,7 +27,7 @@ internal abstract class GraphQLNode {
     @Suppress("UNCHECKED_CAST")
     private fun convertToDataEntry(value: Any?) =
             when(value) {
-                is String   -> DataEntry.StringData(value)
+                is String   -> DataEntry.StringData(value.escapeQuotes())
                 is Int      -> DataEntry.NonDecimalNumberData(value.toLong())
                 is Long     -> DataEntry.NonDecimalNumberData(value)
                 is Float    -> DataEntry.DecimalNumberData(value.toDouble())
@@ -42,6 +42,10 @@ internal abstract class GraphQLNode {
             }
 }
 
+internal fun String.escapeQuotes() =
+    this.replace("\\s+".toRegex(), " ")
+        .replace("\"", "\\\\\\\"")
+
 internal fun String.wrappedWithQuotes(shouldBeEscaped: Boolean) =
         if (shouldBeEscaped) {
             "\"$this\""

core/src/test/kotlin/me/lazmaid/kraph/test/BuilderSpek.kt

@@ -322,6 +322,21 @@ class BuilderSpek : Spek({
                 }
             }
         }
+
+        given("sample mutation with unescaped characters") {
+            val query = Kraph {
+                mutation {
+                    field("someField",
+                        args = mapOf(
+                            "foo" to "some \"bar\" over"
+                        )
+                    )
+                }
+            }
+            it("should escape those characters") {
+                assertThat(query.toRequestString(), equalTo("{\"query\": \"mutation { someField (foo: \\\"some \\\\\\\"bar\\\\\\\" over\\\") }\", \"variables\": null, \"operationName\": null}"))
+            }
+        }
     }
 })