From be411904124647b5b051dabe96928e9de4a3c62c Mon Sep 17 00:00:00 2001
From: Hyeonmin Park <hyeonmin.park@kennysoft.kr>
Date: Thu, 18 Nov 2021 14:48:38 +0900
Subject: [PATCH] fix(fields): escape Slack control characters in pullRequest
 title

---
 __tests__/fixtures/repos.commits.get.json | 2 +-
 __tests__/helper.ts                       | 2 +-
 __tests__/pull_request.test.ts            | 4 ++--
 src/fields.ts                             | 7 ++++++-
 4 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/__tests__/fixtures/repos.commits.get.json b/__tests__/fixtures/repos.commits.get.json
index 3994f8f5..5fc13615 100644
--- a/__tests__/fixtures/repos.commits.get.json
+++ b/__tests__/fixtures/repos.commits.get.json
@@ -92,4 +92,4 @@
       "patch": "@@ -29,7 +29,7 @@\n....."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/__tests__/helper.ts b/__tests__/helper.ts
index 8a4aada1..1d7eaf66 100644
--- a/__tests__/helper.ts
+++ b/__tests__/helper.ts
@@ -181,7 +181,7 @@ export const pullRequest = (): Field => {
   let value;
   if (context.eventName.startsWith('pull_request')) {
     value =
-      '<https://github.com/8398a7/action-slack/pull/123|Add pullRequest field #123>';
+      '<https://github.com/8398a7/action-slack/pull/123|Add pullRequest field &amp; escaping &lt;, &gt; #123>';
   } else {
     value = 'n/a';
   }
diff --git a/__tests__/pull_request.test.ts b/__tests__/pull_request.test.ts
index de6285ad..ce535b6e 100644
--- a/__tests__/pull_request.test.ts
+++ b/__tests__/pull_request.test.ts
@@ -67,7 +67,7 @@ describe.each`
     github.context.payload = {
       pull_request: {
         html_url: 'https://github.com/8398a7/action-slack/pull/123',
-        title: 'Add pullRequest field',
+        title: 'Add pullRequest field & escaping <, >',
         number: 123,
         head: { sha },
       },
@@ -90,7 +90,7 @@ describe.each`
     payload.attachments[0].color = 'good';
     expect(await client.prepare(msg)).toStrictEqual(payload);
     expect(process.env.AS_PULL_REQUEST).toStrictEqual(
-      '<https://github.com/8398a7/action-slack/pull/123|Add pullRequest field #123>',
+      '<https://github.com/8398a7/action-slack/pull/123|Add pullRequest field &amp; escaping &lt;, &gt; #123>',
     );
   });
 });
diff --git a/src/fields.ts b/src/fields.ts
index 04cd2993..d6bbdc68 100644
--- a/src/fields.ts
+++ b/src/fields.ts
@@ -199,7 +199,12 @@ export class FieldFactory {
   private async pullRequest(): Promise<string> {
     let value;
     if (context.eventName.startsWith('pull_request')) {
-      value = `<${context.payload.pull_request?.html_url}|${context.payload.pull_request?.title} #${context.payload.pull_request?.number}>`;
+      value = `<${
+        context.payload.pull_request?.html_url
+      }|${context.payload.pull_request?.title
+        ?.replace(/&/g, '&amp;')
+        ?.replace(/</g, '&lt;')
+        ?.replace(/>/g, '&gt;')} #${context.payload.pull_request?.number}>`;
     } else {
       value = 'n/a';
     }