Improve and consistently use escapeHtml

actions/ban.js

@@ -2,7 +2,7 @@
 
 const dedent = require('dedent-js');
 
-const { displayUser, link } = require('../utils/tg');
+const { escapeHtml, displayUser, link } = require('../utils/tg');
 const { telegram } = require('../bot');
 
 const { listGroups } = require('../stores/group');
@@ -24,5 +24,5 @@ module.exports = async ({ admin, reason, userToBan }) => {
 	return dedent(`
 		🚫 ${link(admin)} <b>banned</b> ${displayUser(userToBan)} <b>for:</b>
 
-		${reason}`);
+		${escapeHtml(reason)}`);
 };

actions/warn.js

@@ -4,7 +4,7 @@ const dedent = require('dedent-js');
 const ms = require('millisecond');
 
 const { context } = require('../bot');
-const { link } = require('../utils/tg');
+const { escapeHtml, link } = require('../utils/tg');
 const {
 	expireWarnsAfter = Infinity,
 	numberOfWarnsToBan,
@@ -24,10 +24,12 @@ module.exports = async ({ admin, reason, userToWarn }) => {
 	const isLastWarn = ', <b>last warning!</b>'
 		.repeat(recentWarns.length === numberOfWarnsToBan - 1);
 
+	const count = `${recentWarns.length}/${numberOfWarnsToBan}${isLastWarn}`;
+
 	const warnMessage = dedent(`
 		⚠️ ${link(admin)} <b>warned</b> ${link(userToWarn)} <b>for</b>:
 
-		${reason} (${recentWarns.length}/${numberOfWarnsToBan}${isLastWarn})`);
+		${escapeHtml(reason)} (${count})`);
 
 	if (recentWarns.length >= numberOfWarnsToBan) {
 		await ban({

handlers/commands/unwarn.js

@@ -3,7 +3,7 @@
 const { last } = require('ramda');
 
 // Utils
-const { link, scheduleDeletion } = require('../../utils/tg');
+const { escapeHtml, link, scheduleDeletion } = require('../../utils/tg');
 const { parse, strip } = require('../../utils/parse');
 
 // Config
@@ -72,7 +72,7 @@ const unwarnHandler = async ({ from, message, reply, telegram }) => {
 
 	return reply(
 		`❎ ${link(from)} <b>pardoned</b> ${link(userToUnwarn)} ` +
-		`<b>for:</b>\n\n${lastWarn.reason || lastWarn}` +
+		`<b>for:</b>\n\n${escapeHtml(lastWarn.reason || lastWarn)}` +
 		` (${allWarns.length - 1}/${numberOfWarnsToBan})`,
 		replyOptions
 	);

handlers/commands/user.js

@@ -2,7 +2,7 @@
 
 // Utils
 const { parse, strip } = require('../../utils/parse');
-const { scheduleDeletion } = require('../../utils/tg');
+const { escapeHtml, scheduleDeletion } = require('../../utils/tg');
 
 // Bot
 const { replyOptions } = require('../../bot/options');
@@ -40,18 +40,20 @@ const getWarnsHandler = async ({ from, message, reply }) => {
 
 	const { first_name, id, last_name, status, username, warns } = theUser;
 
-	const userName = `<b>Name:</b> <code>${first_name} ${last_name}</code>\n`;
+	const userName = '<b>Name:</b> ' +
+		`<code>${escapeHtml(first_name)} ${escapeHtml(last_name)}</code>\n`;
 	const userId = `<b>ID:</b> <code>${id}</code>\n`;
 	const userStatus = `<b>Status:</b> <code>${status}</code>\n`;
 	const userUsername = username
 		? `<b>Username:</b> @${username}\n`
 		: '';
 	const banReason = theUser.ban_reason
-		? `\n🚫 <b>Ban reason:</b>\n<code>${theUser.ban_reason}</code>`
+		? '\n🚫 <b>Ban reason:</b>\n' +
+			`<code>${escapeHtml(theUser.ban_reason)}</code>`
 		: '';
 	const userWarns = warns.length
 		? '\n<b>⚠️ Warns:</b>\n' + warns
-			.map((warn, i) => `${i + 1}. ${warn.reason || warn}`)
+			.map((warn, i) => `${i + 1}. ${escapeHtml(warn.reason || warn)}`)
 			.join('\n') + '\n'
 		: '';
 

utils/tg.js

@@ -13,6 +13,9 @@ const isCommand = R.pipe(
 );
 
 const escapeHtml = s => s
+	.replace(/&/g, '&')
+	.replace(/"/g, '"')
+	.replace(/'/g, ''')
 	.replace(/</g, '&lt;');
 
 const msgLink = msg =>