From 28af4dec977d3899ab5bba1320134575c83d43af Mon Sep 17 00:00:00 2001
From: Kyle Fang <zhigang1992@gmail.com>
Date: Wed, 30 Jul 2025 18:34:05 +0800
Subject: [PATCH] feat: implement HTML escaping in message formatting

---
 src/message.ts | 30 +++++++++++++++++++++++++-----
 1 file changed, 25 insertions(+), 5 deletions(-)

diff --git a/src/message.ts b/src/message.ts
index 42c981d..90c8846 100644
--- a/src/message.ts
+++ b/src/message.ts
@@ -8,21 +8,41 @@ export type RichMessage = {
   notify?: boolean;
 };
 
+// https://www.30secondsofcode.org/js/s/escape-unescape-html/
+const escapeHTML = (str: string) =>
+  str.replace(
+    /[&<>'"]/g,
+    (tag: string) =>
+      ({
+        '&': '&amp;',
+        '<': '&lt;',
+        '>': '&gt;',
+        "'": '&#39;',
+        '"': '&quot;'
+      }[tag] || tag)
+  );
+
+const html = (strings: TemplateStringsArray, ...values: string[]) => {
+  return strings.map((string, index) => {
+    return string + escapeHTML(values[index] ?? "");
+  }).join("");
+};
+
 export function formatRichMessage(message: RichMessage): string {
   const metadata = Object.entries(message.metadata ?? {})
-    .map(([key, value]) => `#${key}: ${value}`)
+    .map(([key, value]) => html`#${key}: ${value}`)
     .join("\n");
-  return `${message.emoji ? `${message.emoji} • ` : ""}${
+  return html`${message.emoji ? `${message.emoji} • ` : ""}${
     message.channel
-      ? `<ins>#${message.channel}</ins>
+      ? html`<ins>#${message.channel}</ins>
 
 `
       : ""
   }<b>${message.event}</b>${
     (message.text ?? message.message)
-      ? `
+      ? html`
 
-<code>${message.text ?? message.message}</code>`
+<code>${message.text ?? message.message ?? ""}</code>`
       : ""
   }