graphql-client/guides/heredoc.md

815 B

Heredoc style

Prefer quoted heredoc style when defining GraphQL query strings.

# good
FooQuery = <<-'GRAPHQL'
  { version }
GRAPHQL
# bad
FooQuery = <<-GRAPHQL
  { version }
GRAPHQL

Using a single quoted heredoc disables interpolation. GraphQL queries should not be constructed via string concatenate, especially at runtime. Interpolating user values into a query may lead to a "GraphQL injection" security vulnerability. Pass variables: instead of string interpolation.

# good
FooQuery = <<-'GRAPHQL'
  query($id: ID!) {
    node(id: $id) {
    }
  }
GRAPHQL
query(FooQuery, variables: { id: id })
# bad
FooQuery = <<-GRAPHQL
  query {
    node(id: "#{id}") {
    }
  }
GRAPHQL
query(FooQuery)

Bonus: Quoted heredocs syntax highlight look better in Atom.