815 B
815 B
Heredoc style
Prefer quoted heredoc style when defining GraphQL query strings.
# good
FooQuery = <<-'GRAPHQL'
{ version }
GRAPHQL
# bad
FooQuery = <<-GRAPHQL
{ version }
GRAPHQL
Using a single quoted heredoc disables interpolation. GraphQL queries should not be constructed via string concatenate, especially at runtime. Interpolating user values into a query may lead to a "GraphQL injection" security vulnerability. Pass variables:
instead of string interpolation.
# good
FooQuery = <<-'GRAPHQL'
query($id: ID!) {
node(id: $id) {
}
}
GRAPHQL
query(FooQuery, variables: { id: id })
# bad
FooQuery = <<-GRAPHQL
query {
node(id: "#{id}") {
}
}
GRAPHQL
query(FooQuery)
Bonus: Quoted heredocs syntax highlight look better in Atom.