Merge pull request from GHSA-mcph-m25j-8j63

* feat: add `safe_output` input enabled by default

* fix: migrate README to safe uses of interpolation

* fix: README `uses` typo

* fix: README examples to account for newlines

* fix: README examples missing `safe_output`

* fix: remove sanitization of `'`

* fix: also sanitize `|&;`

src/utils.ts

@@ -1324,7 +1324,8 @@ export const setArrayOutput = async ({
     writeOutputFiles: inputs.writeOutputFiles,
     outputDir: inputs.outputDir,
     json: inputs.json,
-    shouldEscape: inputs.escapeJson
+    shouldEscape: inputs.escapeJson,
+    safeOutput: inputs.safeOutput
   })
 }
 
@@ -1334,7 +1335,8 @@ export const setOutput = async ({
   writeOutputFiles,
   outputDir,
   json = false,
-  shouldEscape = false
+  shouldEscape = false,
+  safeOutput = false
 }: {
   key: string
   value: string | string[] | boolean
@@ -1342,6 +1344,7 @@ export const setOutput = async ({
   outputDir: string
   json?: boolean
   shouldEscape?: boolean
+  safeOutput?: boolean
 }): Promise<void> => {
   let cleanedValue
   if (json) {
@@ -1350,6 +1353,11 @@ export const setOutput = async ({
     cleanedValue = value.toString().trim()
   }
 
+  // if safeOutput is true, escape special characters for bash shell
+  if (safeOutput) {
+    cleanedValue = cleanedValue.replace(/[$()`|&;]/g, '\\$&')
+  }
+
   core.setOutput(key, cleanedValue)
 
   if (writeOutputFiles) {