Bug description Many implementations end up doing something similar to this:
else if (value instanceof String s) {
context.append(String.format("valueText:\"%s\" ", s));
}
This is problematic because this assumes the string neither contains " nor \.
This opens the door to injection issues.
This is only the surface of the problem: what about other escape sequences (like unicode escapes, etc).
Maybe some implementations should be revisited to not rely on String concatenation, but rather use a proper library to construct the filter, where applicable
Expected behavior Strings (and other types where applicable) are correctly encoded.