[BUG] The replace helper function does not sanitize input properly, resulting in unexpected output.

[TimMaasGeesteranus]

Is there an existing issue for this?

• I have searched the existing issues.

Current Behavior

Somehow, the replace(str, old, new_string) function does not sanitize the input of the new string correctly. Whenever there is a ' (single quote) in the new string, the replace function fails to handle it correctly. This should not happen.

edit: if the single quote is escaped like this: \' no problems occur

Expected Behavior

The replace(str, old, new string) function should be able to handle all inputs

Steps To Reproduce

id: nucleiTest

info:
  name: test template
  author: tim
  severity: low
  description: a test template

variables:
  endpoint: /test/?id=PAYLOAD

http:      
  - raw:
    - |
      GET {{replace("{{endpoint}}", "PAYLOAD", "{{sql}}")}} HTTP/1.1
      Host: {{Host}}
    
    payloads:
      sql: 
        - firstpayload
        - secondpayload'

Expected request headers:

GET /test/?id=firstpayload HTTP/1.1
GET /test/?id=secondpayload' HTTP/1.1

Current request headers:

GET /test/?id=firstpayload HTTP/1.1
GET /%7B%7Breplace%28%22/test/?id=PAYLOAD", HTTP/1.1

Relevant log output

Environment

- Nuclei: 3.3.6

Anything else?

I tried to fix this, but unfortunately I'm not experienced enough in Go programming to do so. Any help is appreciated, let me know if you need more details (: