Codecov Report

Merging #4227 into master will decrease coverage by 0.25%.
The diff coverage is 1.98%.

@@            Coverage Diff             @@
##           master    #4227      +/-   ##
==========================================
- Coverage   41.67%   41.42%   -0.26%     
==========================================
  Files         414      415       +1     
  Lines       55985    56337     +352     
==========================================
+ Hits        23331    23335       +4     
- Misses      29524    29873     +349     
+ Partials     3130     3129       -1

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 6dbd261...14712ec. Read the comment docs.

@sapk updated tests

@sapk / @axifive do you have time for a review of this PR? If not that's ok, no rush.

When created an issue, the webhook failed:

{"ok":false,"error_code":400,"description":"Bad Request: can't parse entities: Unsupported start tag \"!--\" at byte offset 154"}

thanks for testing @lunny. Can you post the the request that was made to telegram, I wonder if I need to escape anything.

headers

Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Connection: keep-alive
Content-Length: 129
Content-Type: application/json
Date: Wed, 15 Aug 2018 04:09:49 GMT
Server: nginx/1.12.2

body

{
  "text": "[\u003ca href=\"http://localhost:3000/lunny/git\"\u003elunny/git\u003c/a\u003e] Issue opened: \u003ca href=\"http://localhost:3000/api/v1/repos/lunny/git/issues/4\"\u003e#4 new issue\u003c/a\u003e\n\n\u003c!--\r\n    1. Please speak English, this is the language all of us can speak and write.\r\n    2. Please ask questions or configuration/deploy problems on our Discord \r\n       server (https://discord.gg/NsatcWJ) or forum (https://discourse.gitea.io).\r\n    3. Please take a moment to check that your issue doesn't already exist.\r\n    4. Please give all relevant information below for bug reports, because \r\n       incomplete details will be handled as an invalid report.\r\n--\u003e\r\n",
  "parse_mode": "HTML"
}

Looking at docs the only supported HTML tags are: b, strong, i, em, a, code, and pre. All <,> and & symbols that are not a part of a tag or an HTML entity must be replaced with the corresponding HTML entities (<, >, and & which along with " are the only named HTML entities allowed). All numerical HTML entities are supported.

So I'm going to try to instead send HTML to the API, I will try to transform this into markdown, and send it that way.

@lunny @jonasfranz I'm now passing all messages through the sanitizer, and messages are successfully sending.

@jonasfranz please review

Looking at docs the only supported HTML tags are: b, strong, i, em, a, code, and pre. All <,> and & symbols that are not a part of a tag or an HTML entity must be replaced with the corresponding HTML entities (<, >, and & which along with " are the only named HTML entities allowed). All numerical HTML entities are supported.

So I'm going to try to instead send HTML to the API, I will try to transform this into markdown, and send it that way.

The root problem is that markdown shouldn't be mixed with HTML. The complete fix could be this: Refactor webhook #31587