From e1fa0493d726789dab6db950bcaa58a4bada0e5f Mon Sep 17 00:00:00 2001 From: Dmytro Vakulenko Date: Mon, 5 Dec 2022 12:03:52 +0200 Subject: [PATCH] fix(UABOT-89): add message escaping to fix < and > --- package-lock.json | 14 ++++++++++++++ package.json | 2 ++ src/bot/listeners/on-text.listener.ts | 7 ++++--- src/bot/middleware/delete-swindlers.middleware.ts | 9 +++++---- src/services/url.service.test.ts | 4 ++-- 5 files changed, 27 insertions(+), 9 deletions(-) diff --git a/package-lock.json b/package-lock.json index 6f12c023..dbfd93c8 100644 --- a/package-lock.json +++ b/package-lock.json @@ -27,6 +27,7 @@ "contains-emoji": "^1.1.4", "cyrillic-to-translit-js": "^3.2.1", "diff": "^5.1.0", + "escape-html": "^1.0.3", "eventsource": "^2.0.2", "express": "^4.18.2", "fuse.js": "^6.6.2", @@ -55,6 +56,7 @@ "devDependencies": { "@commitlint/config-conventional": "^17.1.0", "@swc/jest": "^0.2.23", + "@types/escape-html": "^1.0.2", "@types/eventsource": "^1.1.10", "@types/express": "^4.17.14", "@types/jest": "^29.2.0", @@ -2454,6 +2456,12 @@ "@types/node": "*" } }, + "node_modules/@types/escape-html": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/@types/escape-html/-/escape-html-1.0.2.tgz", + "integrity": "sha512-gaBLT8pdcexFztLSPRtriHeXY/Kn4907uOCZ4Q3lncFBkheAWOuNt53ypsF8szgxbEJ513UeBzcf4utN0EzEwA==", + "dev": true + }, "node_modules/@types/eventsource": { "version": "1.1.10", "resolved": "https://registry.npmjs.org/@types/eventsource/-/eventsource-1.1.10.tgz", @@ -23447,6 +23455,12 @@ "@types/node": "*" } }, + "@types/escape-html": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/@types/escape-html/-/escape-html-1.0.2.tgz", + "integrity": "sha512-gaBLT8pdcexFztLSPRtriHeXY/Kn4907uOCZ4Q3lncFBkheAWOuNt53ypsF8szgxbEJ513UeBzcf4utN0EzEwA==", + "dev": true + }, "@types/eventsource": { "version": "1.1.10", "resolved": "https://registry.npmjs.org/@types/eventsource/-/eventsource-1.1.10.tgz", diff --git a/package.json b/package.json index 74dffdfd..c80619f6 100644 --- a/package.json +++ b/package.json @@ -48,6 +48,7 @@ "contains-emoji": "^1.1.4", "cyrillic-to-translit-js": "^3.2.1", "diff": "^5.1.0", + "escape-html": "^1.0.3", "eventsource": "^2.0.2", "express": "^4.18.2", "fuse.js": "^6.6.2", @@ -76,6 +77,7 @@ "devDependencies": { "@commitlint/config-conventional": "^17.1.0", "@swc/jest": "^0.2.23", + "@types/escape-html": "^1.0.2", "@types/eventsource": "^1.1.10", "@types/express": "^4.17.14", "@types/jest": "^29.2.0", diff --git a/src/bot/listeners/on-text.listener.ts b/src/bot/listeners/on-text.listener.ts index 848cee03..c63d13d5 100644 --- a/src/bot/listeners/on-text.listener.ts +++ b/src/bot/listeners/on-text.listener.ts @@ -1,3 +1,4 @@ +import escapeHTML from 'escape-html'; import type { Bot, NextFunction } from 'grammy'; import { InputFile } from 'grammy'; @@ -138,9 +139,9 @@ export class OnTextListener { this.bot.api .sendMessage( logsChat, - `Cannot delete the following message from chat\n\n${telegramUtil.getChatTitle(context.chat)}\n${ - context.msg?.text || '' - }`, + `Cannot delete the following message from chat\n\n${telegramUtil.getChatTitle( + context.chat, + )}\n${escapeHTML(context.msg?.text || '')}`, { parse_mode: 'HTML', }, diff --git a/src/bot/middleware/delete-swindlers.middleware.ts b/src/bot/middleware/delete-swindlers.middleware.ts index 27eef1fb..660595bc 100644 --- a/src/bot/middleware/delete-swindlers.middleware.ts +++ b/src/bot/middleware/delete-swindlers.middleware.ts @@ -1,4 +1,5 @@ import axios from 'axios'; +import escapeHTML from 'escape-html'; import type { Bot } from 'grammy'; import { InputFile } from 'grammy'; import type { GrammyContext, GrammyMiddleware, SwindlerResponseBody, SwindlersResult, SwindlerType } from 'types'; @@ -86,7 +87,7 @@ export class DeleteSwindlersMiddleware { logsChat, `Looks like swindler's message (${(maxChance * 100).toFixed(2)}%) from ${from} by user ${userMention}:\n\n${ chatMention || userMention - }\n${text}`, + }\n${escapeHTML(text)}`, { parse_mode: 'HTML', }, @@ -137,9 +138,9 @@ export class DeleteSwindlersMiddleware { context.api .sendMessage( logsChat, - `Cannot delete the following message from chat\n\n${telegramUtil.getChatTitle(context.chat)}\n${ - context.msg?.text || '' - }`, + `Cannot delete the following message from chat\n\n${telegramUtil.getChatTitle(context.chat)}\n${escapeHTML( + context.msg?.text || '', + )}`, { parse_mode: 'HTML', }, diff --git a/src/services/url.service.test.ts b/src/services/url.service.test.ts index 23e4f58e..d6a43c57 100644 --- a/src/services/url.service.test.ts +++ b/src/services/url.service.test.ts @@ -13,12 +13,12 @@ describe('UrlService', () => { }); it('should parse urls without special symbols at the end', () => { - const text = `test https://url.com/, test url.com. http://24.site/?order=946,`; + const text = `test https://url.com/, test url.com. http://24.site/?order=946, http://24privat.site/?order=94696970126<`; const result = urlService.parseUrls(text); console.info(text); - expect(result).toEqual(['https://url.com', 'http://24.site/?order=946']); + expect(result).toEqual(['https://url.com', 'http://24.site/?order=946', 'http://24privat.site/?order=94696970126']); }); it('should not parse invalid urls', () => {