Fix PowerShell variable expansion by not escaping $query in Body parameter

Copilot · MathiasVDA · Copilot · commit afd58a159515 · 2026-02-12T15:29:17.000Z
Co-authored-by: MathiasVDA &lt;15101339+MathiasVDA@users.noreply.github.com&gt;
diff --git a/packages/yasqe/src/__tests__/share-test.ts b/packages/yasqe/src/__tests__/share-test.ts
@@ -146,6 +146,7 @@ describe("Share Functionality", () => {
       expect(psString).to.include('"@');
       expect(psString).to.include(query);
       expect(psString).to.include('Body = "query=$query"');
+      expect(psString).to.not.include('Body = "query=`$query"'); // Should NOT escape the variable
       expect(psString).to.include("sparql-generated");
     });
 
diff --git a/packages/yasqe/src/sparql.ts b/packages/yasqe/src/sparql.ts
@@ -546,15 +546,20 @@ export function getAsPowerShellString(yasqe: Yasqe, _config?: Config["requestCon
     }
 
     // Build the body with the query variable and any other parameters
-    const bodyParts: string[] = [];
-    if (queryParam) {
-      bodyParts.push(`${queryParamName}=$${queryParamName}`);
-    }
-    if (Object.keys(otherArgs).length > 0) {
+    // Note: We don't escape the variable reference itself, only the other args
+    let bodyExpression: string;
+    if (queryParam && Object.keys(otherArgs).length > 0) {
+      // Both query variable and other args
+      const otherArgsString = queryString.stringify(otherArgs);
+      bodyExpression = `"${queryParamName}=$${queryParamName}&${escapePowerShellString(otherArgsString)}"`;
+    } else if (queryParam) {
+      // Only query variable
+      bodyExpression = `"${queryParamName}=$${queryParamName}"`;
+    } else {
+      // Only other args (shouldn't happen, but handle it)
       const otherArgsString = queryString.stringify(otherArgs);
-      bodyParts.push(otherArgsString);
+      bodyExpression = `"${escapePowerShellString(otherArgsString)}"`;
     }
-    const body = bodyParts.join("&");
 
     lines.push("$params = @{");
     lines.push(`    Uri = "${escapePowerShellString(url)}"`);
@@ -565,7 +570,7 @@ export function getAsPowerShellString(yasqe: Yasqe, _config?: Config["requestCon
       lines.push("    }");
     }
     lines.push(`    ContentType = "application/x-www-form-urlencoded"`);
-    lines.push(`    Body = "${escapePowerShellString(body)}"`);
+    lines.push(`    Body = ${bodyExpression}`);
     lines.push(`    OutFile = "sparql-generated.${fileExtension}"`);
     lines.push("}");
   } else {
