escape printed characters to prevent command injection #45

src/application/Context/State/Code/Generation/Languages/BatchBuilder.ts

@@ -5,6 +5,12 @@ export class BatchBuilder extends CodeBuilder {
         return '::';
     }
     protected writeStandardOut(text: string): string {
-        return `echo ${text}`;
+        return `echo ${escapeForEcho(text)}`;
     }
 }
+
+function escapeForEcho(text: string) {
+    return text
+        .replace(/&/g, '^&')
+        .replace(/%/g, '%%');
+}