JSON-escape and percent-encode string elements

AdrianCurtin · AdrianCurtin · commit 923c81f41ac6 · 2026-04-20T17:17:02.000-04:00
Encode string list elements by JSON-escaping then percent-encoding so quotes, backslashes and newlines remain valid in the server-decoded JSON, while characters like &amp;, =, +, and # are protected from querystring parsing. Introduces _encodeStringElement (uses jsonEncode then Uri.encodeComponent) and updates _encodeStringElements to use it. Tests updated: stricter List&lt;String&gt;/List&lt;int&gt; typing, added a test to verify JSON-escaping of quotes and backslashes, and adjusted existing expectations for encoded delimiters.
diff --git a/packages/dart/lib/src/network/parse_query.dart b/packages/dart/lib/src/network/parse_query.dart
@@ -318,14 +318,23 @@ class QueryBuilder<T extends ParseObject> {
     );
   }
 
-  /// Percent-encodes String elements of [value] so that characters such as
-  /// `&`, `=`, `+`, and `#` survive URL querystring parsing when the list is
-  /// serialized into `where={...}` via [buildQuery]. Non-String elements are
-  /// left untouched. Mirrors the per-argument encoding applied by the scalar
-  /// [whereEqualTo] / [whereContains] family of methods.
+  /// JSON-escapes [value] and then percent-encodes the escaped content. The
+  /// JSON escaping keeps `"`, `\` and newlines valid inside the surrounding
+  /// string literal once the server URL-decodes the query; the percent
+  /// encoding keeps `&`, `=`, `+` and `#` from being chewed up by querystring
+  /// parsing on the way in.
+  String _encodeStringElement(String value) {
+    final String jsonString = jsonEncode(value);
+    return Uri.encodeComponent(
+      jsonString.substring(1, jsonString.length - 1),
+    );
+  }
+
+  /// Runs [_encodeStringElement] on each String in [value]; other elements
+  /// are passed through unchanged.
   List<dynamic> _encodeStringElements(List<dynamic> value) {
     return value
-        .map<dynamic>((dynamic e) => e is String ? Uri.encodeComponent(e) : e)
+        .map<dynamic>((dynamic e) => e is String ? _encodeStringElement(e) : e)
         .toList();
   }
 
diff --git a/packages/dart/test/src/network/parse_query_test.dart b/packages/dart/test/src/network/parse_query_test.dart
@@ -699,18 +699,15 @@ void main() {
     test(
         'list-based where methods encode special characters in String elements',
         () {
-      // arrange
       final queryBuilder = QueryBuilder.name('Diet_Plans');
 
-      // act
-      queryBuilder.whereContainedIn('topics', <dynamic>[
+      queryBuilder.whereContainedIn('topics', <String>[
         "RFI's & Change Orders",
         'Schedule (Impacts, Delays, Inspections)',
       ]);
-      queryBuilder.whereNotContainedIn('excluded', <dynamic>['a=b', 'c+d']);
-      queryBuilder.whereArrayContainsAll('tags', <dynamic>['x#y', 'z&w']);
+      queryBuilder.whereNotContainedIn('excluded', <String>['a=b', 'c+d']);
+      queryBuilder.whereArrayContainsAll('tags', <String>['x#y', 'z&w']);
 
-      // assert
       final queryString = queryBuilder.buildQuery();
       const encodedAmp = '%26'; // &
       const encodedEq = '%3D'; // =
@@ -722,22 +719,41 @@ void main() {
       expect(queryString, contains(encodedPlus));
       expect(queryString, contains(encodedHash));
 
-      // Ensure the raw unencoded delimiters do NOT appear inside the JSON
-      // values (they would break querystring parsing on the server).
+      // Raw delimiters would break querystring parsing on the server, so
+      // verify they are not present in the encoded output.
       expect(queryString.contains('& Change Orders'), isFalse);
       expect(queryString.contains('a=b'), isFalse);
       expect(queryString.contains('c+d'), isFalse);
       expect(queryString.contains('x#y'), isFalse);
     });
 
+    test(
+        'list-based where methods JSON-escape quotes and backslashes in String elements',
+        () {
+      final queryBuilder = QueryBuilder.name('Diet_Plans');
+
+      queryBuilder.whereContainedIn('topics', <String>[
+        'He said "hi"',
+        r'C:\path',
+      ]);
+
+      final queryString = queryBuilder.buildQuery();
+
+      // Encoded form of `\"` and `\\`: the backslash must survive URL decoding
+      // so the server sees valid JSON (e.g. "He said \"hi\"").
+      expect(queryString, contains('%5C%22'));
+      expect(queryString, contains('%5C%5C'));
+
+      // Unescaped `"` and `\` inside the string values would corrupt the JSON.
+      expect(queryString.contains('"He said "hi""'), isFalse);
+      expect(queryString.contains(r'C:\path'), isFalse);
+    });
+
     test('list-based where methods leave non-String elements untouched', () {
-      // arrange
       final queryBuilder = QueryBuilder.name('Diet_Plans');
 
-      // act
-      queryBuilder.whereContainedIn('nums', <dynamic>[1, 2, 3]);
+      queryBuilder.whereContainedIn('nums', <int>[1, 2, 3]);
 
-      // assert
       final queryString = queryBuilder.buildQuery();
       expect(queryString, contains('"\$in":[1,2,3]'));
     });
