Escape special control characters (#157)

Author: namoscato

dist/index.js

@@ -1,4 +1,5 @@
-module.exports = {
+/** @type {import('jest').Config} */
+export default {
   clearMocks: true,
   moduleFileExtensions: ['js', 'ts'],
   testMatch: ['**/*.test.ts'],

jest.config.js

@@ -165,7 +165,7 @@ describe('postMessage', () => {
         data: {
           commit: {
             message:
-              'COMMIT-MESSAGE\n\nCo-authored-by: Nick <[email protected]>',
+              '<COMMIT> & MESSAGE\n\nCo-authored-by: Nick <[email protected]>',
             url: 'github.com/commit'
           }
         }
@@ -196,13 +196,13 @@ describe('postMessage', () => {
         icon_url: 'slack.com/nick',
         username: 'Nick (via GitHub)',
         unfurl_links: false,
-        text: 'Nick is deploying action-testing: COMMIT-MESSAGE',
+        text: 'Nick is deploying action-testing: <COMMIT> & MESSAGE',
         blocks: [
           {
             type: 'section',
             text: {
               type: 'mrkdwn',
-              text: ':black_square_button: <@U123> is deploying *action-testing*: <github.com/commit|COMMIT-MESSAGE>'
+              text: ':black_square_button: <@U123> is deploying *action-testing*: <github.com/commit|&lt;COMMIT&gt; &amp; MESSAGE>'
             }
           },
           {

src/__tests__/postMessage.test.ts

@@ -6,6 +6,8 @@ import {EnvironmentVariable, getEnv, getRequiredEnv} from './input'
 import {postMessage} from './postMessage'
 import {SlackClient} from './slack/SlackClient'
 
+run()
+
 async function run(): Promise<void> {
   try {
     const octokit = createOctokitClient()
@@ -43,5 +45,3 @@ function createOctokitClient(): OctokitClient {
 
   return getOctokit(token)
 }
-
-run()

src/main.ts

@@ -1,16 +1,31 @@
 import {Link} from './types'
+import {escapeText} from './utils/escapeText'
 
+/**
+ * Bold and escape the specified `text`.
+ *
+ * @see https://api.slack.com/reference/surfaces/formatting#visual-styles
+ */
 export function bold(text: string): string {
-  return `*${text}*`
+  return `*${escapeText(text)}*`
 }
 
+/**
+ * Return an emoji with the specified `name`.
+ *
+ * @see https://api.slack.com/reference/surfaces/formatting#emoji
+ */
 export function emoji(name: string): string {
   return `:${name}:`
 }
 
 /**
+ * Return a link with the specified `text` and `url`.
+ *
+ * The `text` is escaped.
+ *
  * @see https://api.slack.com/reference/surfaces/formatting#linking-urls
  */
 export function link({text, url}: Link): string {
-  return `<${url}|${text}>`
+  return `<${url}|${escapeText(text)}>`
 }

src/slack/mrkdwn.ts

@@ -0,0 +1,25 @@
+/**
+ * Replace special control characters in the specified `text`.
+ *
+ * @see https://docs.slack.dev/messaging/formatting-message-text#escaping
+ */
+export function escapeText(text: string): string {
+  return text.replace(
+    CONTROL_CHARACTER_REGEX,
+    match =>
+      CONTROL_CHARACTER_HTML_ENTITY_MAP[
+        match as keyof typeof CONTROL_CHARACTER_HTML_ENTITY_MAP
+      ]
+  )
+}
+
+const CONTROL_CHARACTER_HTML_ENTITY_MAP = {
+  '&': '&',
+  '<': '&lt;',
+  '>': '&gt;'
+} as const satisfies Record<string, string>
+
+const CONTROL_CHARACTER_REGEX = new RegExp(
+  `[${Object.keys(CONTROL_CHARACTER_HTML_ENTITY_MAP).join('')}]`,
+  'g'
+)