Escape value passed to sequelize.json

lib/dialects/abstract/query-generator.js

@@ -1268,7 +1268,7 @@ module.exports = (function() {
           result = (value === 'NULL') ? key + ' IS NULL' : [key, value].join('=');
           result = (value === 'NULL') ? key + ' IS NULL' : [key, value].join('=');
         }
         }
       } else if (smth instanceof Utils.json) {
       } else if (smth instanceof Utils.json) {
-        result = smth.toString();
+        result = smth.toString(this);
       } else if (Utils._.isPlainObject(smth)) {
       } else if (Utils._.isPlainObject(smth)) {
         if (prepend) {
         if (prepend) {
           if (tableName) options.keysEscaped = true;
           if (tableName) options.keysEscaped = true;

lib/utils.js

@@ -625,7 +625,7 @@ Utils.col.prototype.toString = function(queryGenerator, parentModel) {
   return queryGenerator.quote(this.col, parentModel);
   return queryGenerator.quote(this.col, parentModel);
 };
 };
 
 
-Utils.json.prototype.toString = function () {
+Utils.json.prototype.toString = function (queryGenerator) {
   var _ = Utils._;
   var _ = Utils._;
 
 
   // A recursive parser for nested where conditions
   // A recursive parser for nested where conditions
@@ -666,7 +666,7 @@ Utils.json.prototype.toString = function () {
     }
     }
 
 
     if (this.value) {
     if (this.value) {
-      str += util.format(" = '%s'", this.value);
+      str += util.format(" = %s", queryGenerator.escape(this.value));
     }
     }
 
 
     return str;
     return str;

test/utils.test.js

@@ -148,6 +148,8 @@ describe(Support.getTestDialectTeaser("Utils"), function() {
   });
   });
 
 
   describe('json', function () {
   describe('json', function () {
+    var queryGeneratorStub = { escape: function (value) { return "'" + value + "'"; } };
+
     it('successfully parses a complex nested condition hash', function() {
     it('successfully parses a complex nested condition hash', function() {
       var conditions = {
       var conditions = {
         metadata: {
         metadata: {
@@ -156,23 +158,24 @@ describe(Support.getTestDialectTeaser("Utils"), function() {
         },
         },
         another_json_field: { x: 1 }
         another_json_field: { x: 1 }
       };
       };
-      expect((new Utils.json(conditions)).toString()).to.deep.equal("metadata#>>'{language}' = 'icelandic' and metadata#>>'{pg_rating,dk}' = 'G' and another_json_field#>>'{x}' = '1'");
+      var expected = "metadata#>>'{language}' = 'icelandic' and metadata#>>'{pg_rating,dk}' = 'G' and another_json_field#>>'{x}' = '1'";
+      expect((new Utils.json(conditions)).toString(queryGeneratorStub)).to.deep.equal(expected);
     });
     });
 
 
     it('successfully parses a string using dot notation', function () {
     it('successfully parses a string using dot notation', function () {
       var path = 'metadata.pg_rating.dk';
       var path = 'metadata.pg_rating.dk';
-      expect((new Utils.json(path)).toString()).to.equal("metadata#>>'{pg_rating,dk}'");
+      expect((new Utils.json(path)).toString(queryGeneratorStub)).to.equal("metadata#>>'{pg_rating,dk}'");
     });
     });
 
 
     it('allows postgres json syntax', function () {
     it('allows postgres json syntax', function () {
       var path = 'metadata->pg_rating->>dk';
       var path = 'metadata->pg_rating->>dk';
-      expect((new Utils.json(path)).toString()).to.equal(path);
+      expect((new Utils.json(path)).toString(queryGeneratorStub)).to.equal(path);
     });
     });
 
 
     it('can take a value to compare against', function () {
     it('can take a value to compare against', function () {
       var path = 'metadata.pg_rating.is';
       var path = 'metadata.pg_rating.is';
       var value = 'U';
       var value = 'U';
-      expect((new Utils.json(path, value)).toString()).to.equal("metadata#>>'{pg_rating,is}' = 'U'");
+      expect((new Utils.json(path, value)).toString(queryGeneratorStub)).to.equal("metadata#>>'{pg_rating,is}' = 'U'");
     });
     });
   });
   });