From 5be0982abd115b2d18f0c4f6f27319265d4b42f9 Mon Sep 17 00:00:00 2001
From: Guillaume Smet <guillaume.smet@gmail.com>
Date: Tue, 20 Aug 2024 13:21:14 +0200
Subject: [PATCH] Do some naive HTML escaping

Some errors can contain XML and part of the message uses HTML blocks so
we need to take care of that.
---
 .../githubactions/WorkflowReportFormatter.java   | 16 ++++++++++++++++
 .../WorkflowReportFormatter/checkRunReport.md    |  8 ++++----
 .../WorkflowReportFormatter/commentReport.md     |  8 ++++----
 3 files changed, 24 insertions(+), 8 deletions(-)

diff --git a/build-reporter-github-actions/src/main/java/io/quarkus/bot/buildreporter/githubactions/WorkflowReportFormatter.java b/build-reporter-github-actions/src/main/java/io/quarkus/bot/buildreporter/githubactions/WorkflowReportFormatter.java
index 6e4b230..78732af 100644
--- a/build-reporter-github-actions/src/main/java/io/quarkus/bot/buildreporter/githubactions/WorkflowReportFormatter.java
+++ b/build-reporter-github-actions/src/main/java/io/quarkus/bot/buildreporter/githubactions/WorkflowReportFormatter.java
@@ -7,6 +7,7 @@
 import io.quarkus.bot.buildreporter.githubactions.report.WorkflowReport;
 import io.quarkus.bot.buildreporter.githubactions.report.WorkflowReportJobIncludeStrategy;
 import io.quarkus.qute.CheckedTemplate;
+import io.quarkus.qute.TemplateExtension;
 import io.quarkus.qute.TemplateInstance;
 
 @ApplicationScoped
@@ -52,4 +53,19 @@ public static native TemplateInstance commentReport(WorkflowReport report, boole
                 boolean includeStackTraces, boolean includeFailureLinks,
                 WorkflowReportJobIncludeStrategy workflowReportJobIncludeStrategy);
     }
+
+    @TemplateExtension
+    public class TemplateExtensions {
+
+        /**
+         * This is very naive and just designed to not break the markdown.
+         */
+        public static String escapeHtml(String html) {
+            if (html == null || html.isBlank()) {
+                return html;
+            }
+
+            return html.replace("&", "&amp;").replace("<", "&lt;").replace(">", "&gt;");
+        }
+    }
 }
diff --git a/build-reporter-github-actions/src/main/resources/templates/WorkflowReportFormatter/checkRunReport.md b/build-reporter-github-actions/src/main/resources/templates/WorkflowReportFormatter/checkRunReport.md
index 73ce196..84173a7 100644
--- a/build-reporter-github-actions/src/main/resources/templates/WorkflowReportFormatter/checkRunReport.md
+++ b/build-reporter-github-actions/src/main/resources/templates/WorkflowReportFormatter/checkRunReport.md
@@ -34,7 +34,7 @@
 ```
 
 {#for failure : module.testFailures}
-<p>✖ <code>{failure.fullName}</code>{#if failure.failureErrorLine} line <code>{failure.failureErrorLine}</code>{/if}{#if develocityEnabled && develocityUrl} - <a href="{develocityUrl}scans/tests?tests.container={failure.fullClassName}&tests.test={failure.name}">History</a>{/if}{#if includeFailureLinks} <a id="test-failure-{failure.fullClassName.toLowerCase}-{failure_count}"></a> - <a href="{failure.shortenedFailureUrl}">Source on GitHub</a> - <a href="#user-content-build-summary-top">🠅</a>{/if}</p>
+<p>✖ <code>{failure.fullName.escapeHtml}</code>{#if failure.failureErrorLine} line <code>{failure.failureErrorLine}</code>{/if}{#if develocityEnabled && develocityUrl} - <a href="{develocityUrl}scans/tests?tests.container={failure.fullClassName}&tests.test={failure.name}">History</a>{/if}{#if includeFailureLinks} <a id="test-failure-{failure.fullClassName.toLowerCase}-{failure_count}"></a> - <a href="{failure.shortenedFailureUrl}">Source on GitHub</a> - <a href="#user-content-build-summary-top">🠅</a>{/if}</p>
 
 {#if (failure.abbreviatedFailureDetail && includeStackTraces) || (report.sameRepository && failure.failureErrorLine)}
 <details>
@@ -53,7 +53,7 @@
 
 {/for}
 {#else if module.projectReportFailure}
-<p>✖ <code>{module.projectReportFailure}</code></p>
+<p>✖ <code>{module.projectReportFailure.escapeHtml}</code></p>
 
 {#else}
 <p>We were unable to extract a useful error message.</p>
@@ -77,10 +77,10 @@
 #### :package: {module.name ? module.name : "Root project"}
 
 {#for flakyTest : module.flakyTests}
-<p>✖ <code>{flakyTest.fullName}</code>{#if develocityEnabled && develocityUrl} - <a href="{develocityUrl}scans/tests?tests.container={flakyTest.fullClassName}&tests.test={flakyTest.name}">History</a>{/if}</p>
+<p>✖ <code>{flakyTest.fullName.escapeHtml}</code>{#if develocityEnabled && develocityUrl} - <a href="{develocityUrl}scans/tests?tests.container={flakyTest.fullClassName}&tests.test={flakyTest.name}">History</a>{/if}</p>
 
 {#for flake : flakyTest.flakes}
-- `{flake.message}`{#if flake.type} - <code>{flake.type}</code>{/if}
+- `{flake.message}`{#if flake.type} - `{flake.type}`{/if}
 
 {#if flake.abbreviatedStackTrace.trim && includeStackTraces}
 <details>
diff --git a/build-reporter-github-actions/src/main/resources/templates/WorkflowReportFormatter/commentReport.md b/build-reporter-github-actions/src/main/resources/templates/WorkflowReportFormatter/commentReport.md
index 827cfc0..ecc3e02 100644
--- a/build-reporter-github-actions/src/main/resources/templates/WorkflowReportFormatter/commentReport.md
+++ b/build-reporter-github-actions/src/main/resources/templates/WorkflowReportFormatter/commentReport.md
@@ -66,7 +66,7 @@ Full information is available in the [Build summary check run]({checkRun.htmlUrl
 
 {#if module.testFailures}
 {#for failure : module.testFailures}
-<p>✖ <code>{failure.fullName}</code>{#if failure.failureErrorLine} line <code>{failure.failureErrorLine}</code>{/if}{#if develocityEnabled && develocityUrl} - <a href="{develocityUrl}scans/tests?tests.container={failure.fullClassName}&tests.test={failure.name}">History</a>{/if}{#if includeFailureLinks} - {#if checkRun && failure.failureDetail}<a href="{checkRun.htmlUrl}#user-content-test-failure-{failure.fullClassName.toLowerCase}-{failure_count}">More details</a> - {/if}<a href="{failure.shortenedFailureUrl}">Source on GitHub</a>{/if}</p>
+<p>✖ <code>{failure.fullName.escapeHtml}</code>{#if failure.failureErrorLine} line <code>{failure.failureErrorLine}</code>{/if}{#if develocityEnabled && develocityUrl} - <a href="{develocityUrl}scans/tests?tests.container={failure.fullClassName}&tests.test={failure.name}">History</a>{/if}{#if includeFailureLinks} - {#if checkRun && failure.failureDetail}<a href="{checkRun.htmlUrl}#user-content-test-failure-{failure.fullClassName.toLowerCase}-{failure_count}">More details</a> - {/if}<a href="{failure.shortenedFailureUrl}">Source on GitHub</a>{/if}</p>
 
 {#if failure.abbreviatedFailureDetail && includeStackTraces}
 <details>
@@ -80,7 +80,7 @@ Full information is available in the [Build summary check run]({checkRun.htmlUrl
 
 {/for}
 {#else if module.projectReportFailure}
-<p>✖ <code>{module.projectReportFailure}</code></p>
+<p>✖ <code>{module.projectReportFailure.escapeHtml}</code></p>
 
 {#else}
 <p>We were unable to extract a useful error message.</p>
@@ -120,10 +120,10 @@ It should be safe to merge provided you have a look at the other checks in the s
 #### :package: {module.name ? module.name : "Root project"}
 
 {#for flakyTest : module.flakyTests}
-<p>✖ <code>{flakyTest.fullName}</code>{#if develocityEnabled && develocityUrl} - <a href="{develocityUrl}scans/tests?tests.container={flakyTest.fullClassName}&tests.test={flakyTest.name}">History</a>{/if}</p>
+<p>✖ <code>{flakyTest.fullName.escapeHtml}</code>{#if develocityEnabled && develocityUrl} - <a href="{develocityUrl}scans/tests?tests.container={flakyTest.fullClassName}&tests.test={flakyTest.name}">History</a>{/if}</p>
 
 {#for flake : flakyTest.flakes}
-- `{flake.message}`{#if flake.type} - <code>{flake.type}</code>{/if}
+- `{flake.message}`{#if flake.type} - `{flake.type}`{/if}
 
 {#if flake.abbreviatedStackTrace.trim && includeStackTraces}
 <details>