From c2af87b8b3c0ac0a135804eb7eaf904b909cf707 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E3=83=9D=E3=83=BC=E3=83=AB=20=E3=82=A6=E3=82=A7=E3=83=83?=
 =?UTF-8?q?=E3=83=96?= <netopwibby@thenetwork.email>
Date: Thu, 17 Jan 2019 15:24:27 -0600
Subject: [PATCH] HTML tags are now escaped in GitHub issue titles

---
 app/helpers/github.js | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/app/helpers/github.js b/app/helpers/github.js
index 6c1cffc..6f95415 100644
--- a/app/helpers/github.js
+++ b/app/helpers/github.js
@@ -15,6 +15,16 @@ const redis = require("redis");
 const messageSlack = local("/app/helpers/slack");
 const relativeDate = local("/app/modules/relative-date");
 
+String.prototype.escape = function() {
+  const tagsToReplace = {
+    "&": "&amp;",
+    "<": "&lt;",
+    ">": "&gt;"
+  };
+
+  return this.replace(/[&<>]/g, tag => tagsToReplace[tag] || tag);
+};
+
 //  R E D I S
 
 let client;
@@ -132,7 +142,7 @@ function generateEvent(event) {
             rel="noopener noreferrer"
             target="_blank"
             title="View this comment on GitHub"
-          >${event.payload.issue.title}</a></em> in
+          >${event.payload.issue.title.escape()}</a></em> in
         `;
       } else {
         return `
@@ -143,7 +153,7 @@ function generateEvent(event) {
             rel="noopener noreferrer"
             target="_blank"
             title="View this comment on GitHub"
-          >${event.payload.issue.title}</a></em> in
+          >${event.payload.issue.title.escape()}</a></em> in
         `;
       }
 
@@ -161,7 +171,7 @@ function generateEvent(event) {
           rel="noopener noreferrer"
           target="_blank"
           title="View this issue on GitHub"
-        >${event.payload.issue.title}</a></em> in
+        >${event.payload.issue.title.escape()}</a></em> in
       `;
 
     case "PullRequestEvent":
@@ -178,7 +188,7 @@ function generateEvent(event) {
           rel="noopener noreferrer"
           target="_blank"
           title="View this pull request on GitHub"
-        >${event.payload.pull_request.title}</a></em> in
+        >${event.payload.pull_request.title.escape()}</a></em> in
       `;
 
     case "PullRequestReviewCommentEvent":
@@ -195,7 +205,7 @@ function generateEvent(event) {
           rel="noopener noreferrer"
           target="_blank"
           title="View this comment on GitHub"
-        >${event.payload.pull_request.title}</a></em> in
+        >${event.payload.pull_request.title.escape()}</a></em> in
       `;
 
     case "PushEvent":