From 8f45134697f41351e7800017e1414c04ac31e43b Mon Sep 17 00:00:00 2001
From: Roberto Franchini <ro.franchini@gmail.com>
Date: Mon, 27 Apr 2026 14:49:18 -0700
Subject: [PATCH] Potential fix for code scanning alert no. 1654: Incomplete
 string escaping or encoding

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 .../main/resources/static/js/studio-record-editor.js   | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/studio/src/main/resources/static/js/studio-record-editor.js b/studio/src/main/resources/static/js/studio-record-editor.js
index 93a109687c..d5f0882749 100644
--- a/studio/src/main/resources/static/js/studio-record-editor.js
+++ b/studio/src/main/resources/static/js/studio-record-editor.js
@@ -23,6 +23,12 @@ function openRecordEditor(rid, type, properties, source) {
     showGraphRecordEditor();
 }
 
+function escapeSqlStringLiteral(value) {
+  return String(value)
+    .replace(/\\/g, "\\\\")
+    .replace(/'/g, "\\'");
+}
+
 function getRecordEditorTarget() {
   if (globalRecordEditorState.source === "table")
     return "#tableRecordEditorContent";
@@ -344,10 +350,10 @@ function saveRecordEditor() {
         JSON.parse(current);
         sqlValue = current;
       } catch (e) {
-        sqlValue = "'" + current.replace(/'/g, "\\'") + "'";
+        sqlValue = "'" + escapeSqlStringLiteral(current) + "'";
       }
     } else
-      sqlValue = "'" + current.replace(/'/g, "\\'") + "'";
+      sqlValue = "'" + escapeSqlStringLiteral(current) + "'";
 
     setParts.push("`" + prop + "` = " + sqlValue);
   });