From e6ff8ed23ff6fec88c367a7bf47813280137af04 Mon Sep 17 00:00:00 2001
From: Dicky Moore <dickymoore@gmail.com>
Date: Mon, 8 Dec 2025 21:54:13 +0000
Subject: [PATCH] fix: escape workflow manifest values safely

---
 tools/cli/installers/lib/core/manifest-generator.js | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

diff --git a/tools/cli/installers/lib/core/manifest-generator.js b/tools/cli/installers/lib/core/manifest-generator.js
index 5f2bb325..6ad7b790 100644
--- a/tools/cli/installers/lib/core/manifest-generator.js
+++ b/tools/cli/installers/lib/core/manifest-generator.js
@@ -581,7 +581,7 @@ class ManifestGenerator {
    */
   async writeWorkflowManifest(cfgDir) {
     const csvPath = path.join(cfgDir, 'workflow-manifest.csv');
-    const escapeCsv = (value) => `"${String(value ?? '').replace(/"/g, '""')}"`;
+    const escapeCsv = (value) => `"${String(value ?? '').replaceAll('"', '""')}"`;
     const parseCsvLine = (line) => {
       const columns = line.match(/(".*?"|[^",\s]+)(?=\s*,|\s*$)/g) || [];
       return columns.map((c) => c.replaceAll(/^"|"$/g, ''));
@@ -635,12 +635,7 @@ class ManifestGenerator {
 
     // Write all workflows
     for (const [, value] of allWorkflows) {
-      const row = [
-        escapeCsv(value.name),
-        escapeCsv(value.description),
-        escapeCsv(value.module),
-        escapeCsv(value.path),
-      ].join(',');
+      const row = [escapeCsv(value.name), escapeCsv(value.description), escapeCsv(value.module), escapeCsv(value.path)].join(',');
       csv += row + '\n';
     }