fix(admin): escape HogQL backslashes

[kilo-code-bot]

Summary

• Resolves CodeQL alert 226 by escaping backslashes before single quotes in admin feature-interest HogQL string literals.
• Keeps the existing query construction and feature interest behavior unchanged while making the custom escaping complete.

Verification

N/A - backend query escaping change only; no manual UI flow was exercised.

Visual Changes

N/A

Reviewer Notes

CodeQL alert: https://github.com/Kilo-Org/cloud/security/code-scanning/226

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Executive Summary

The fix correctly resolves CodeQL alert 226 by adding a escapeHogQLStringLiteral helper that escapes backslashes before single quotes, ensuring neither character sequence can be used to break out of HogQL string literals.

Notes

Escaping order is correct: backslash → double-backslash is applied first, then single-quote → escaped-single-quote. This is the right order — reversing it would allow a pre-existing \' in input to survive as an unescaped quote after transformation.

Pre-existing pattern (not introduced by this PR): The LIKE '%${escapedValue}%' construction does not escape % or _ wildcard characters, meaning a feature name containing % would match more rows than intended. This is a pre-existing issue limited to the admin-only adminProcedure route and not a change introduced here.

limit and offset are safe: Both are Zod-validated as z.number() with min/max bounds before interpolation.

Files Reviewed (1 file)

• apps/web/src/routers/admin-feature-interest-router.ts

Fix these issues in Kilo Cloud

---

_{Reviewed by claude-4.6-sonnet-20260217 · 276,755 tokens}

_{Review guidance: REVIEW.md from base branch main}