fix: escape single quotation mark in json merge values

cyjake · Jan 8, 2025 · aa90e4d · aa90e4d
1 parent 2e31e11
commit aa90e4d
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 1 deletion.
diff --git a/src/bone.js b/src/bone.js
@@ -9,6 +9,7 @@ const deepEqual = require('deep-equal');
 const debug = require('debug')('leoric');
 const pluralize = require('pluralize');
 const { executeValidator, LeoricValidateError } = require('./validator');
+// const { escape } = require('sqlstring');
 require('reflect-metadata');
 
 const { default: DataTypes } = require('./data_types');
@@ -1580,7 +1581,7 @@ class Bone {
     const method = preserve ? 'JSON_MERGE_PRESERVE' : 'JSON_MERGE_PATCH';
     const data = { ...values };
     for (const [name, value] of Object.entries(values)) {
-      data[name] = new Raw(`${method}(${name}, '${JSON.stringify(value)}')`);
+      data[name] = new Raw(`${method}(${name}, '${JSON.stringify(value).replaceAll("'", "\\'")}')`);
     }
     return this.update(conditions, data, restOptions);
   }

diff --git a/test/integration/suite/json.test.js b/test/integration/suite/json.test.js
@@ -76,6 +76,12 @@ describe('=> Basic', () => {
       assert.equal(gen.extra.a, 3);
     });
 
+    it('Bone.jsonMerge(conditions, values, options) should escape values', async () => {
+      const gen = await Gen.create({ name: '章3️⃣疯', extra: {} });
+      await Gen.jsonMerge({ id: gen.id }, { extra: { a: "foo\'bar" } });
+      await gen.reload();
+      assert.equal(gen.extra.a, 'foo\'bar');
+    });
 
     it('Bone.jsonMergePreserve(conditions, values, options) should work', async () => {
       const gen = await Gen.create({ name: '章3️⃣疯', extra: {} });