From b83e8bf42f52375786b1548f02c44be77bd1e4b3 Mon Sep 17 00:00:00 2001
From: GingerPlusPlus <woj.pawlik@gmail.com>
Date: Sat, 6 Apr 2019 20:58:56 +0200
Subject: [PATCH] Improve and consistently use escapeHtml

---
 actions/ban.js              |  4 ++--
 actions/warn.js             |  6 ++++--
 handlers/commands/unwarn.js |  4 ++--
 handlers/commands/user.js   | 10 ++++++----
 utils/tg.js                 |  3 +++
 5 files changed, 17 insertions(+), 10 deletions(-)

diff --git a/actions/ban.js b/actions/ban.js
index b9f8585..422829c 100644
--- a/actions/ban.js
+++ b/actions/ban.js
@@ -2,7 +2,7 @@
 
 const dedent = require('dedent-js');
 
-const { displayUser, link } = require('../utils/tg');
+const { escapeHtml, displayUser, link } = require('../utils/tg');
 const { telegram } = require('../bot');
 
 const { listGroups } = require('../stores/group');
@@ -24,5 +24,5 @@ module.exports = async ({ admin, reason, userToBan }) => {
 	return dedent(`
 		🚫 ${link(admin)} <b>banned</b> ${displayUser(userToBan)} <b>for:</b>
 
-		${reason}`);
+		${escapeHtml(reason)}`);
 };
diff --git a/actions/warn.js b/actions/warn.js
index 8f850ce..a27e937 100644
--- a/actions/warn.js
+++ b/actions/warn.js
@@ -4,7 +4,7 @@ const dedent = require('dedent-js');
 const ms = require('millisecond');
 
 const { context } = require('../bot');
-const { link } = require('../utils/tg');
+const { escapeHtml, link } = require('../utils/tg');
 const {
 	expireWarnsAfter = Infinity,
 	numberOfWarnsToBan,
@@ -24,10 +24,12 @@ module.exports = async ({ admin, reason, userToWarn }) => {
 	const isLastWarn = ', <b>last warning!</b>'
 		.repeat(recentWarns.length === numberOfWarnsToBan - 1);
 
+	const count = `${recentWarns.length}/${numberOfWarnsToBan}${isLastWarn}`;
+
 	const warnMessage = dedent(`
 		⚠️ ${link(admin)} <b>warned</b> ${link(userToWarn)} <b>for</b>:
 
-		${reason} (${recentWarns.length}/${numberOfWarnsToBan}${isLastWarn})`);
+		${escapeHtml(reason)} (${count})`);
 
 	if (recentWarns.length >= numberOfWarnsToBan) {
 		await ban({
diff --git a/handlers/commands/unwarn.js b/handlers/commands/unwarn.js
index 95fb527..f12a943 100644
--- a/handlers/commands/unwarn.js
+++ b/handlers/commands/unwarn.js
@@ -3,7 +3,7 @@
 const { last } = require('ramda');
 
 // Utils
-const { link, scheduleDeletion } = require('../../utils/tg');
+const { escapeHtml, link, scheduleDeletion } = require('../../utils/tg');
 const { parse, strip } = require('../../utils/parse');
 
 // Config
@@ -72,7 +72,7 @@ const unwarnHandler = async ({ from, message, reply, telegram }) => {
 
 	return reply(
 		`❎ ${link(from)} <b>pardoned</b> ${link(userToUnwarn)} ` +
-		`<b>for:</b>\n\n${lastWarn.reason || lastWarn}` +
+		`<b>for:</b>\n\n${escapeHtml(lastWarn.reason || lastWarn)}` +
 		` (${allWarns.length - 1}/${numberOfWarnsToBan})`,
 		replyOptions
 	);
diff --git a/handlers/commands/user.js b/handlers/commands/user.js
index 05975c2..ebe1d47 100644
--- a/handlers/commands/user.js
+++ b/handlers/commands/user.js
@@ -2,7 +2,7 @@
 
 // Utils
 const { parse, strip } = require('../../utils/parse');
-const { scheduleDeletion } = require('../../utils/tg');
+const { escapeHtml, scheduleDeletion } = require('../../utils/tg');
 
 // Bot
 const { replyOptions } = require('../../bot/options');
@@ -40,18 +40,20 @@ const getWarnsHandler = async ({ from, message, reply }) => {
 
 	const { first_name, id, last_name, status, username, warns } = theUser;
 
-	const userName = `<b>Name:</b> <code>${first_name} ${last_name}</code>\n`;
+	const userName = '<b>Name:</b> ' +
+		`<code>${escapeHtml(first_name)} ${escapeHtml(last_name)}</code>\n`;
 	const userId = `<b>ID:</b> <code>${id}</code>\n`;
 	const userStatus = `<b>Status:</b> <code>${status}</code>\n`;
 	const userUsername = username
 		? `<b>Username:</b> @${username}\n`
 		: '';
 	const banReason = theUser.ban_reason
-		? `\n🚫 <b>Ban reason:</b>\n<code>${theUser.ban_reason}</code>`
+		? '\n🚫 <b>Ban reason:</b>\n' +
+			`<code>${escapeHtml(theUser.ban_reason)}</code>`
 		: '';
 	const userWarns = warns.length
 		? '\n<b>⚠️ Warns:</b>\n' + warns
-			.map((warn, i) => `${i + 1}. ${warn.reason || warn}`)
+			.map((warn, i) => `${i + 1}. ${escapeHtml(warn.reason || warn)}`)
 			.join('\n') + '\n'
 		: '';
 
diff --git a/utils/tg.js b/utils/tg.js
index 2e962ba..105a852 100644
--- a/utils/tg.js
+++ b/utils/tg.js
@@ -13,6 +13,9 @@ const isCommand = R.pipe(
 );
 
 const escapeHtml = s => s
+	.replace(/&/g, '&amp;')
+	.replace(/"/g, '&quot;')
+	.replace(/'/g, '&#39;')
 	.replace(/</g, '&lt;');
 
 const msgLink = msg =>