`util.quote_string` does not properly escape everything

[micromaomao]

Currently it only replaces " and nothing else (e.g. \ itself is left as-is). This leads to storing incorrect data and also injection vulnerability when passing properties to Node:

from redis import Redis
from redisgraph import Graph, Node
r = Redis("localhost")
g = Graph("g", r)
n = Node(label="label", properties={"prop": '\\"}), (dummy:a) with dummy match (e) delete e; //'})
g.add_node(n)
# this will delete everything in the graph
g.commit()

I was not able to find a way to pass parameterized query in the protocol level (hence avoiding the use of quote_string in the first place), nor could I find any specification on the escape syntax of Cypher, but one possible solution might be to just assume json.dump() is good enough.

[mdecuir]

I just encountered what I believe to be the same issue where I was storing a json escaped string into a property.

From my investigation into the issue, my conclusion was that applying json.dumps to all string values consistently produced values that redisgraph would interpret as expected.