From 443db0da7fe58091082d7740635eaeda6b66db7b Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 19 Mar 2026 05:34:07 +0000
Subject: [PATCH 1/2] Initial plan


From 55bd83a64a30403c17e0a27cce74e49835e46bce Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 19 Mar 2026 05:44:38 +0000
Subject: [PATCH 2/2] fix: use %q for safely quoting user-controlled
 expressions in error messages

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
---
 pkg/workflow/expression_safety_validation.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkg/workflow/expression_safety_validation.go b/pkg/workflow/expression_safety_validation.go
index 777d5754edd..1d65f9b9026 100644
--- a/pkg/workflow/expression_safety_validation.go
+++ b/pkg/workflow/expression_safety_validation.go
@@ -168,9 +168,9 @@ func validateExpressionForDangerousProps(expression string) error {
 			if part == dangerousProp {
 				return NewValidationError(
 					"expressions",
-					fmt.Sprintf("dangerous property name '%s' found in expression", dangerousProp),
-					fmt.Sprintf("expression '%s' contains the dangerous property name '%s'", expression, dangerousProp),
-					fmt.Sprintf("Remove the dangerous property '%s' from the expression. Property names like constructor, __proto__, prototype, and similar JavaScript built-ins are blocked to prevent prototype pollution attacks. See PR #14826 for more details.", dangerousProp),
+					fmt.Sprintf("dangerous property name %q found in expression", dangerousProp),
+					fmt.Sprintf("expression %q contains the dangerous property name %q", expression, dangerousProp),
+					fmt.Sprintf("Remove the dangerous property %q from the expression. Property names like constructor, __proto__, prototype, and similar JavaScript built-ins are blocked to prevent prototype pollution attacks. See PR #14826 for more details.", dangerousProp),
 				)
 			}
 		}