diff --git a/actions/ban.js b/actions/ban.js
index b9f8585..422829c 100644
--- a/actions/ban.js
+++ b/actions/ban.js
@@ -2,7 +2,7 @@
const dedent = require('dedent-js');
-const { displayUser, link } = require('../utils/tg');
+const { escapeHtml, displayUser, link } = require('../utils/tg');
const { telegram } = require('../bot');
const { listGroups } = require('../stores/group');
@@ -24,5 +24,5 @@ module.exports = async ({ admin, reason, userToBan }) => {
return dedent(`
🚫 ${link(admin)} banned ${displayUser(userToBan)} for:
- ${reason}`);
+ ${escapeHtml(reason)}`);
};
diff --git a/actions/warn.js b/actions/warn.js
index 8f850ce..a27e937 100644
--- a/actions/warn.js
+++ b/actions/warn.js
@@ -4,7 +4,7 @@ const dedent = require('dedent-js');
const ms = require('millisecond');
const { context } = require('../bot');
-const { link } = require('../utils/tg');
+const { escapeHtml, link } = require('../utils/tg');
const {
expireWarnsAfter = Infinity,
numberOfWarnsToBan,
@@ -24,10 +24,12 @@ module.exports = async ({ admin, reason, userToWarn }) => {
const isLastWarn = ', last warning!'
.repeat(recentWarns.length === numberOfWarnsToBan - 1);
+ const count = `${recentWarns.length}/${numberOfWarnsToBan}${isLastWarn}`;
+
const warnMessage = dedent(`
⚠️ ${link(admin)} warned ${link(userToWarn)} for:
- ${reason} (${recentWarns.length}/${numberOfWarnsToBan}${isLastWarn})`);
+ ${escapeHtml(reason)} (${count})`);
if (recentWarns.length >= numberOfWarnsToBan) {
await ban({
diff --git a/handlers/commands/unwarn.js b/handlers/commands/unwarn.js
index 95fb527..f12a943 100644
--- a/handlers/commands/unwarn.js
+++ b/handlers/commands/unwarn.js
@@ -3,7 +3,7 @@
const { last } = require('ramda');
// Utils
-const { link, scheduleDeletion } = require('../../utils/tg');
+const { escapeHtml, link, scheduleDeletion } = require('../../utils/tg');
const { parse, strip } = require('../../utils/parse');
// Config
@@ -72,7 +72,7 @@ const unwarnHandler = async ({ from, message, reply, telegram }) => {
return reply(
`❎ ${link(from)} pardoned ${link(userToUnwarn)} ` +
- `for:\n\n${lastWarn.reason || lastWarn}` +
+ `for:\n\n${escapeHtml(lastWarn.reason || lastWarn)}` +
` (${allWarns.length - 1}/${numberOfWarnsToBan})`,
replyOptions
);
diff --git a/handlers/commands/user.js b/handlers/commands/user.js
index 05975c2..ebe1d47 100644
--- a/handlers/commands/user.js
+++ b/handlers/commands/user.js
@@ -2,7 +2,7 @@
// Utils
const { parse, strip } = require('../../utils/parse');
-const { scheduleDeletion } = require('../../utils/tg');
+const { escapeHtml, scheduleDeletion } = require('../../utils/tg');
// Bot
const { replyOptions } = require('../../bot/options');
@@ -40,18 +40,20 @@ const getWarnsHandler = async ({ from, message, reply }) => {
const { first_name, id, last_name, status, username, warns } = theUser;
- const userName = `Name: ${first_name} ${last_name}\n`;
+ const userName = 'Name: ' +
+ `${escapeHtml(first_name)} ${escapeHtml(last_name)}\n`;
const userId = `ID: ${id}\n`;
const userStatus = `Status: ${status}\n`;
const userUsername = username
? `Username: @${username}\n`
: '';
const banReason = theUser.ban_reason
- ? `\n🚫 Ban reason:\n${theUser.ban_reason}`
+ ? '\n🚫 Ban reason:\n' +
+ `${escapeHtml(theUser.ban_reason)}`
: '';
const userWarns = warns.length
? '\n⚠️ Warns:\n' + warns
- .map((warn, i) => `${i + 1}. ${warn.reason || warn}`)
+ .map((warn, i) => `${i + 1}. ${escapeHtml(warn.reason || warn)}`)
.join('\n') + '\n'
: '';
diff --git a/utils/tg.js b/utils/tg.js
index 2e962ba..105a852 100644
--- a/utils/tg.js
+++ b/utils/tg.js
@@ -13,6 +13,9 @@ const isCommand = R.pipe(
);
const escapeHtml = s => s
+ .replace(/&/g, '&')
+ .replace(/"/g, '"')
+ .replace(/'/g, ''')
.replace(/