Square brackets in alert messages are not rendered correctly

[henrymercer]

Describe the bug Square brackets in alert messages [ and ] are rendered as \[ and \] respectively.

Version CodeQL extension version: 1.5.10 CodeQL CLI version: 2.7.5 Platform: darwin x64

To reproduce Run the following query on a JavaScript (for instance) project:

/**
 * @kind alert
 */
import javascript
select any(File f), "[] test"

Right click the query in the query history view and select "View Alerts (SARIF)". Observe that the square brackets are correctly escaped as \\[ and \\] per the SARIF spec:

Literal square brackets ("[" and "]") in the link text of a plain text message SHALL be escaped with a backslash (""). Since JSON itself treats the backslash as an escape character, the backslash SHALL be doubled.

Observe that the square brackets are not correctly escaped in the alert message:

Expected behavior The alert message should be "[] test"

[aeisenberg]

Thanks for raising this. I see that the raw results are rendered correctly. So, the SARIF is correct, it's just that our handling of the JSON needs to remove the \\ before displaying.

According to the spec, we should be handling unescaped [..] as a link. I don't think we're doing this either.