fix json key escaping

django_snowflake/features.py

@@ -78,14 +78,6 @@ class DatabaseFeatures(BaseDatabaseFeatures):
         'expressions.tests.FTimeDeltaTests.test_date_subtraction',
         'expressions.tests.FTimeDeltaTests.test_datetime_subtraction',
         'expressions.tests.FTimeDeltaTests.test_time_subtraction',
-        # https://github.com/django/django/commit/7deeabc7c7526786df6894429ce89a9c4b614086
-        # When trying to pass the json_path as a query parameter, Snowflake
-        # Python Connector's Cursor._preprocess_pyformat_query() interpolates
-        # (command % processed_params) and adds incorrect quotes, e.g.
-        # "MODEL_FIELDS_NULLABLEJSONMODEL"."VALUE"':%total' instead of
-        # "MODEL_FIELDS_NULLABLEJSONMODEL"."VALUE":%total.
-        'model_fields.test_jsonfield.TestQuerying.test_key_escape',
-        'model_fields.test_jsonfield.TestQuerying.test_key_sql_injection_escape',
         # https://github.com/django/django/commit/a88fab1bca33c037bd1a12459c215d7bc1247735
         # Integer looks like "MODEL_FIELDS_NULLABLEJSONMODEL"."VALUE"[123] need
         # to be rewritten as "MODEL_FIELDS_NULLABLEJSONMODEL"."VALUE":"123"

django_snowflake/lookups.py

@@ -11,11 +11,15 @@ def compile_json_path(key_transforms):
         except ValueError:  # non-integer
             # The first separator must be a colon, otherwise a period.
             separator = ':' if json_path == '' else '.'
-            json_path += f'{separator}{transform}'
+            # Escape quotes to protect against SQL injection.
+            transform = transform.replace('"', '\\"')
+            json_path += f'{separator}"{transform}"'
         else:
             # An integer lookup is an array index.
             json_path += f'[{idx}]'
-    return json_path
+    # Escape percent literals since snowflake-connector-python uses
+    # interpolation to bind parameters.
+    return json_path.replace('%', '%%')
 
 
 def key_text_transform(self, compiler, connection):