Check.schedule contains user input and needs to be escaped.

2017-05-12 11:15:23 +03:00 · 2017-05-12 11:15:23 +03:00 · 94cdfe1e64
commit 94cdfe1e64
parent 597d79abae
2 changed files with 13 additions and 1 deletions
--- a/hc/api/tests/test_notify.py
+++ b/hc/api/tests/test_notify.py
@ -205,6 +205,18 @@ class NotifyTestCase(BaseTestCase):
        n = Notification.objects.get()
        self.assertEqual(n.error, "Connection timed out")

+    @patch("hc.api.transports.requests.request")
+    def test_slack_with_tabs_in_schedule(self, mock_post):
+        self._setup_data("slack", "123")
+        self.check.kind = "cron"
+        self.check.schedule = "*\t* * * *"
+        self.check.save()
+        mock_post.return_value.status_code = 200
+
+        self.channel.notify(self.check)
+        self.assertEqual(Notification.objects.count(), 1)
+        self.assertTrue(mock_post.called)
+
    @patch("hc.api.transports.requests.request")
    def test_hipchat(self, mock_post):
        self._setup_data("hipchat", "123")
--- a/templates/integrations/slack_message.json
+++ b/templates/integrations/slack_message.json
@ -20,7 +20,7 @@
                },
            {% elif check.kind == "cron" %}
                {"title": "Schedule",
-                 "value": "{{ check.schedule }}",
+                 "value": "{{ check.schedule|escapejs }}",
                 "short": true
                },
            {% endif %}