From bd13ad3dc80b60058d8071de176a2cb3a8cda06a Mon Sep 17 00:00:00 2001
From: Ben Kelly <bk@ancilla.ca>
Date: Tue, 25 Jul 2017 10:19:15 -0400
Subject: Properly escape <&> when sending messages to Slack.

Signed-off-by: Ben Kelly <bk@ancilla.ca>
Signed-off-by: Ben Kelly <btk@google.com>
---
 wee_slack.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/wee_slack.py b/wee_slack.py
index 0da53f0..b974fea 100644
--- a/wee_slack.py
+++ b/wee_slack.py
@@ -2520,9 +2520,16 @@ def linkify_text(message, team, channel):
     usernames = team.get_username_map()
     channels = team.get_channel_map()
     message = (message
+        # Replace IRC formatting chars with Slack formatting chars.
         .replace('\x02', '*')
         .replace('\x1D', '_')
         .replace('\x1F', config.map_underline_to)
+        # Escape chars that have special meaning to Slack. Note that we do not
+        # (and should not) perform a full URL escaping here.
+        # See https://api.slack.com/docs/message-formatting for details.
+        .replace('<', '&lt')
+        .replace('>', '&gt')
+        .replace('&', '&amp')
         .split(' '))
     for item in enumerate(message):
         targets = re.match('^\s*([@#])([\w.-]+[\w. -])(\W*)', item[1])
-- 
cgit