Merge pull request #941 from krissetto/escape-js-template-literals

dgageot · web-flow · commit 52a5bb4b09ae · 2025-11-26T13:52:10.000+01:00
Escape js template literals
diff --git a/pkg/js/expand.go b/pkg/js/expand.go
@@ -3,13 +3,24 @@ package js
 import (
 	"context"
 	"fmt"
+	"strings"
 	"sync"
 
 	"github.com/dop251/goja"
 
 	"github.com/docker/cagent/pkg/environment"
 )
 
+// escapeForTemplateLiteral escapes characters that have special meaning in
+// JavaScript template literals
+func escapeForTemplateLiteral(s string) string {
+	// Escape backticks so they don't terminate the template literal.
+	// Also escape backslashes that precede backticks to avoid double-escaping issues.
+	s = strings.ReplaceAll(s, "\\`", "\\\\`") // First escape already-escaped backticks
+	s = strings.ReplaceAll(s, "`", "\\`")     // Then escape remaining backticks
+	return s
+}
+
 type jsEnv func(string) goja.Value
 
 func (e jsEnv) Get(k string) goja.Value     { return e(k) }
@@ -50,7 +61,7 @@ func (exp *Expander) ExpandMap(ctx context.Context, kv map[string]string) map[st
 	vm := exp.jsRuntime(ctx)
 
 	for k, v := range kv {
-		result, err := vm.RunString("`" + v + "`")
+		result, err := vm.RunString("`" + escapeForTemplateLiteral(v) + "`")
 		if err != nil {
 			expanded[k] = v
 			continue
@@ -65,7 +76,7 @@ func (exp *Expander) ExpandMap(ctx context.Context, kv map[string]string) map[st
 func (exp *Expander) Expand(ctx context.Context, text string) string {
 	vm := exp.jsRuntime(ctx)
 
-	result, err := vm.RunString("`" + text + "`")
+	result, err := vm.RunString("`" + escapeForTemplateLiteral(text) + "`")
 	if err != nil {
 		return text
 	}
@@ -80,7 +91,7 @@ func ExpandString(ctx context.Context, str string, values map[string]string) (st
 		_ = vm.Set(k, v)
 	}
 
-	expanded, err := vm.RunString("`" + str + "`")
+	expanded, err := vm.RunString("`" + escapeForTemplateLiteral(str) + "`")
 	if err != nil {
 		return "", err
 	}
diff --git a/pkg/js/expand_test.go b/pkg/js/expand_test.go
@@ -5,6 +5,7 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 func TestExpand(t *testing.T) {
@@ -58,6 +59,18 @@ func TestExpand(t *testing.T) {
 			envVars:  map[string]string{},
 			expected: "UNKNOWN",
 		},
+		{
+			name:     "backticks in template (markdown code fence)",
+			commands: "Here is code:\n```\n${env.CODE}\n```\nEnd.",
+			envVars:  map[string]string{"CODE": "fmt.Println()"},
+			expected: "Here is code:\n```\nfmt.Println()\n```\nEnd.",
+		},
+		{
+			name:     "multiple backticks",
+			commands: "Use `inline` and ```block``` code",
+			envVars:  map[string]string{},
+			expected: "Use `inline` and ```block``` code",
+		},
 	}
 
 	for _, tt := range tests {
@@ -128,6 +141,63 @@ func TestExpandMap_Empty(t *testing.T) {
 	assert.Empty(t, result)
 }
 
+func TestExpandString(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name     string
+		template string
+		values   map[string]string
+		expected string
+		wantErr  bool
+	}{
+		{
+			name:     "simple substitution",
+			template: "Hello ${name}!",
+			values:   map[string]string{"name": "World"},
+			expected: "Hello World!",
+		},
+		{
+			name:     "multiple values",
+			template: "File: ${path} (chunk ${index})",
+			values:   map[string]string{"path": "/foo/bar.go", "index": "0"},
+			expected: "File: /foo/bar.go (chunk 0)",
+		},
+		{
+			name:     "backticks in template are preserved",
+			template: "Code:\n```\n${content}\n```",
+			values:   map[string]string{"content": "func main() {}"},
+			expected: "Code:\n```\nfunc main() {}\n```",
+		},
+		{
+			name:     "backticks in value are preserved",
+			template: "The code is: ${code}",
+			values:   map[string]string{"code": "use `fmt.Println()`"},
+			expected: "The code is: use `fmt.Println()`",
+		},
+		{
+			name:     "semantic prompt with code fence",
+			template: "Summarize:\n```\n${content}\n```\nBe concise.",
+			values:   map[string]string{"content": "package main\n\nfunc main() {\n\tfmt.Println(`hello`)\n}"},
+			expected: "Summarize:\n```\npackage main\n\nfunc main() {\n\tfmt.Println(`hello`)\n}\n```\nBe concise.",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			result, err := ExpandString(t.Context(), tt.template, tt.values)
+			if tt.wantErr {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			assert.Equal(t, tt.expected, result)
+		})
+	}
+}
+
 type testEnvProvider map[string]string
 
 func (p *testEnvProvider) Get(_ context.Context, name string) string {
