Merge pull request #990 from bitovi/notifications-text

Escape text in notifications + bump node version

Author: arm4b

CHANGELOG.rst

@@ -17,6 +17,7 @@ Changed
 
   Reported by @cded from @Bitovi
 
+
 Fixed
 ~~~~~
 * Fixed CircleCI tests
@@ -27,6 +28,10 @@ Fixed
 
   Contributed by @luislobo
 
+* Escaped text in notifications. #990
+
+  Contributed by @cded from @Bitovi
+
 
 v2.4.3
 ------

Dockerfile

@@ -1,4 +1,4 @@
-FROM node:14.20.0
+FROM node:14.20.1
 
 # Create app directory
 WORKDIR /opt/stackstorm/static/webui/st2web

Dockerfile-dev

@@ -1,4 +1,4 @@
-FROM node:14.20.0
+FROM node:14.20.1
 
 # Create app directory
 WORKDIR /opt/stackstorm/static/webui/st2web

Dockerfile-nginx

@@ -1,4 +1,4 @@
-FROM node:14.20.0 as build
+FROM node:14.20.1 as build
 
 # Create app directory
 WORKDIR /opt/stackstorm/static/webui/st2web

Dockerfile-nginx-dev

@@ -1,4 +1,4 @@
-FROM node:14.20.0 as build
+FROM node:14.20.1 as build
 
 # Create app directory
 WORKDIR /opt/stackstorm/static/webui/st2web

modules/st2-notification/notification.js

@@ -11,6 +11,7 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
+const escapeHtml = require('escape-html');
 
 const Noty = (function() {
   // don't include this during testing
@@ -43,6 +44,7 @@ export class Notification {
   }
 
   notify(type, text, { buttons = [], err, execution_id, ...options } = {}) {
+    text = escapeHtml(text);
     if (err) {
       let expanded = !!execution_id;
       let stack = null;