From d3699f90109005e7c39758298bb97fd80cc7a5c6 Mon Sep 17 00:00:00 2001 From: Jonghyeok Park Date: Tue, 24 Mar 2026 10:36:00 +0900 Subject: [PATCH] fix: use AppleScript-safe escaping and reduce spawnSync timeout - Replace JSON.stringify with curly quote substitution for AppleScript compatibility (AppleScript does not support \" backslash escapes) - Reduce spawnSync timeout from 5000ms to 3000ms to leave headroom within the 5s hook deadline --- scripts/hooks/desktop-notify.js | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/scripts/hooks/desktop-notify.js b/scripts/hooks/desktop-notify.js index 1e849b73..a9bd2540 100644 --- a/scripts/hooks/desktop-notify.js +++ b/scripts/hooks/desktop-notify.js @@ -40,11 +40,14 @@ function extractSummary(message) { /** * Send a macOS notification via osascript. - * Uses spawnSync with an argument array to avoid shell injection. + * AppleScript strings do not support backslash escapes, so we replace + * double quotes with curly quotes and strip backslashes before embedding. */ function notifyMacOS(title, body) { - const script = `display notification ${JSON.stringify(body)} with title ${JSON.stringify(title)}`; - spawnSync('osascript', ['-e', script], { stdio: 'ignore', timeout: 5000 }); + const safeBody = body.replace(/\\/g, '').replace(/"/g, '\u201C'); + const safeTitle = title.replace(/\\/g, '').replace(/"/g, '\u201C'); + const script = `display notification "${safeBody}" with title "${safeTitle}"`; + spawnSync('osascript', ['-e', script], { stdio: 'ignore', timeout: 3000 }); } // TODO: future platform support