Potential fix for code scanning alert no. 5: Incomplete string escaping or encoding

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

Author: firestar300

config/webpack-sprite-hash-plugin.js

@@ -22,6 +22,16 @@ class SpriteHashPlugin {
 		}
 	}
 
+	/**
+	 * Escapes a string for safe use inside a PHP single-quoted string literal.
+	 *
+	 * @param {string} str Input string.
+	 * @return {string} Escaped string.
+	 */
+	_escapePhpSingleQuoted(str) {
+		return String(str).replace(/\\/g, '\\\\').replace(/'/g, "\\'")
+	}
+
 	/**
 	 * Formats a plain object as a PHP associative array string.
 	 *
@@ -30,8 +40,8 @@ class SpriteHashPlugin {
 	 */
 	formatPhpArray(obj) {
 		const entries = Object.entries(obj).map(([key, value]) => {
-			const escapedKey = key.replace(/'/g, "\\'")
-			const escapedValue = String(value).replace(/'/g, "\\'")
+			const escapedKey = this._escapePhpSingleQuoted(key)
+			const escapedValue = this._escapePhpSingleQuoted(value)
 			return `\t'${escapedKey}' => '${escapedValue}'`
 		})
 		return `array(\n${entries.join(',\n')}\n)`