pub fn sanitize_variable_value(value: &str) -> StringExpand description
Sanitizes a variable value to prevent template injection attacks.
Performs three safety transformations:
- Escape nested patterns: Converts
{{to{ {to prevent recursive substitution - Remove control characters: Strips ASCII control chars (0x00-0x1F) except:
- Tab (0x09)
- Newline (0x0A)
- Carriage return (0x0D)
- Length limiting: Truncates values exceeding
MAX_VARIABLE_VALUE_LENGTH
§Arguments
value- The raw user-provided variable value.
§Returns
A sanitized string safe for template substitution.
§Examples
use subcog::models::sanitize_variable_value;
// Nested patterns are escaped
assert_eq!(
sanitize_variable_value("prefix {{nested}} suffix"),
"prefix { {nested} } suffix"
);
// Control characters are removed
assert_eq!(
sanitize_variable_value("hello\x00world"),
"helloworld"
);
// Allowed whitespace is preserved
assert_eq!(
sanitize_variable_value("line1\nline2\ttabbed"),
"line1\nline2\ttabbed"
);