From e0007fb5cd4bc000f9a4329dc4ea3675876842cf Mon Sep 17 00:00:00 2001
From: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Date: Thu, 20 Jun 2024 11:20:16 +0200
Subject: [PATCH] github(summary): escape HTML when printing build error

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
---
 package.json  |  2 ++
 src/github.ts |  5 +++--
 yarn.lock     | 18 ++++++++++++++++++
 3 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/package.json b/package.json
index 2b45826..a292921 100644
--- a/package.json
+++ b/package.json
@@ -60,6 +60,7 @@
     "csv-parse": "^5.5.6",
     "gunzip-maybe": "^1.4.2",
     "handlebars": "^4.7.8",
+    "he": "^1.2.0",
     "js-yaml": "^4.1.0",
     "jwt-decode": "^4.0.0",
     "semver": "^7.6.2",
@@ -69,6 +70,7 @@
   "devDependencies": {
     "@types/csv-parse": "^1.2.2",
     "@types/gunzip-maybe": "^1.4.2",
+    "@types/he": "^1.2.3",
     "@types/js-yaml": "^4.0.9",
     "@types/node": "^20.12.10",
     "@types/semver": "^7.5.8",
diff --git a/src/github.ts b/src/github.ts
index a087fb5..a66c328 100644
--- a/src/github.ts
+++ b/src/github.ts
@@ -16,6 +16,7 @@
 
 import crypto from 'crypto';
 import fs from 'fs';
+import he from 'he';
 import jsyaml from 'js-yaml';
 import os from 'os';
 import path from 'path';
@@ -284,7 +285,7 @@ export class GitHub {
         // prettier-ignore
         sum
           .addRaw(`<details><summary><strong>Error</strong></summary>`)
-            .addCodeBlock(buildError, 'text')
+            .addCodeBlock(he.encode(buildError), 'text')
           .addRaw(`</details>`);
       } else {
         // prettier-ignore
@@ -292,7 +293,7 @@ export class GitHub {
           .addRaw(`<strong>Error</strong>`)
           .addBreak()
           .addRaw(`<p>`)
-            .addCodeBlock(buildError, 'text')
+            .addCodeBlock(he.encode(buildError), 'text')
           .addRaw(`</p>`);
       }
       sum.addRaw(`</blockquote>`);
diff --git a/yarn.lock b/yarn.lock
index e424c23..f87351c 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -1112,6 +1112,7 @@ __metadata:
     "@octokit/plugin-rest-endpoint-methods": ^10.4.0
     "@types/csv-parse": ^1.2.2
     "@types/gunzip-maybe": ^1.4.2
+    "@types/he": ^1.2.3
     "@types/js-yaml": ^4.0.9
     "@types/node": ^20.12.10
     "@types/semver": ^7.5.8
@@ -1129,6 +1130,7 @@ __metadata:
     eslint-plugin-prettier: ^5.1.3
     gunzip-maybe: ^1.4.2
     handlebars: ^4.7.8
+    he: ^1.2.0
     jest: ^29.7.0
     js-yaml: ^4.1.0
     jwt-decode: ^4.0.0
@@ -2175,6 +2177,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@types/he@npm:^1.2.3":
+  version: 1.2.3
+  resolution: "@types/he@npm:1.2.3"
+  checksum: e77851c73dd7b9902d92fe0118a26246a7f3676a3a1c6eb1408305187ef73b57c22550b1435946b983267f961d935554d5d0e1b458416932552f31e763e1aa41
+  languageName: node
+  linkType: hard
+
 "@types/istanbul-lib-coverage@npm:*, @types/istanbul-lib-coverage@npm:^2.0.0, @types/istanbul-lib-coverage@npm:^2.0.1":
   version: 2.0.3
   resolution: "@types/istanbul-lib-coverage@npm:2.0.3"
@@ -4923,6 +4932,15 @@ __metadata:
   languageName: node
   linkType: hard
 
+"he@npm:^1.2.0":
+  version: 1.2.0
+  resolution: "he@npm:1.2.0"
+  bin:
+    he: bin/he
+  checksum: 3d4d6babccccd79c5c5a3f929a68af33360d6445587d628087f39a965079d84f18ce9c3d3f917ee1e3978916fc833bb8b29377c3b403f919426f91bc6965e7a7
+  languageName: node
+  linkType: hard
+
 "html-escaper@npm:^2.0.0":
   version: 2.0.2
   resolution: "html-escaper@npm:2.0.2"