fix(realtime): escape quotes and backslashes in in filter values#1506
Merged
Conversation
PostgresChangeFilter.toString() quoted each `in` filter value without
escaping it, so a value containing a double quote or backslash (e.g.
`a"b`) produced a malformed filter like `in.("a"b")`. Escape `\` and
`"` inside each element before quoting, matching the PostgREST array
quoting used by PostgrestFilterBuilder.
…scaped `in` filters Removes comments that only restated the escaping logic already visible in the code, and adds a channel test that exercises the actual join-ack matching path with a value containing a quote and backslash, since the existing unit test only covered PostgresChangeFilter.toString() in isolation.
spydon
approved these changes
Jul 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
PostgresChangeFilter.toString()builds theinfilter by quoting each value, but never escapes the value first. A value containing a double quote or backslash produces a malformed filter:This escapes
\and"inside each element before quoting, so the value stays a single well-formed token.Why
The realtime
infilter had the same missing-escaping bug that was fixed for postgrest in #1481 (_cleanFilterArray), but the realtime copy intypes.dartwas never updated:Any subscription filtering on a list whose values contain
"or\sends a broken filter to the Realtime server. The fix mirrors the PostgREST/PostgreSQL array quoting used byPostgrestFilterBuilder:Not a breaking change
Values without
"or\render exactly as before (in.("active","pending")), and non-infilters are untouched. Only previously-malformed output changes.Tests
Added
packages/realtime_client/test/postgres_change_filter_test.dart: asserts['a"b\c']renders asname=in.("a\"b\\c"), that plain values are unchanged, and that non-infilters are unaffected. The escaping test fails on the old code (Actual: name=in.("a"b\c")) and passes with the fix.dart formatanddart analyze --fatal-warningsare clean.