Fix JSON injection vulnerability in delete_task() and related functions

[Copilot]

The delete_task() function interpolated task_id directly into JSON strings without escaping, allowing malformed JSON when inputs contain quotes, backslashes, or other special characters.

Changes

• R/tasks.R: Applied escape_json() to user-controlled values in Sync API commands:
  • delete_task(): escape task_id
  • close_task(): escape task_id
  • reopen_task(): escape task_id
  • update_task(): escape task_id, due_date, and labels array values

Example

# Before (vulnerable to injection):
commands = glue('[{{"type": "item_delete", "args": {{"id": "{task_id}"}}}}]')

# After (sanitized):
commands = glue('[{{"type": "item_delete", "args": {{"id": "{escape_json(task_id)}"}}}}]')

Applied in commits 040e023 and bf41593.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.