Fix double-escaped HTML entities in webhook payloads

`Event::Description#to_plain_text` now returns an html-safe string to
prevent double-escaping when the ERB template renders the basecamp
and campfire payloads.

ref: https://3.basecamp.com/2914079/buckets/27/card_tables/cards/9574495379
This commit is contained in:
Mike Dalessio
2026-02-13 01:47:34 -05:00
parent 4ead778e12
commit 0c10622672
3 changed files with 216 additions and 14 deletions
+96
View File
@@ -245,6 +245,102 @@ class Webhook::DeliveryTest < ActiveSupport::TestCase
assert_requested request_stub
end
test "basecamp webhook payload html-escapes special characters" do
cards(:logo).update_column(:title, %(Tom & Jerry's <Great> "Adventure"))
webhook = Webhook.create!(
board: boards(:writebook),
name: "Basecamp",
url: "https://3.basecamp.com/123/integrations/webhook/buckets/456/chats/789/lines"
)
delivery = Webhook::Delivery.create!(webhook: webhook, event: events(:logo_published))
captured_body = nil
stub_request(:post, webhook.url)
.with { |request| captured_body = request.body; true }
.to_return(status: 200)
delivery.deliver
content = CGI.parse(captured_body)["content"].first
expected = <<~HTML.strip
David added &quot;Tom &amp; Jerry&#39;s &lt;Great&gt; &quot;Adventure&quot;&quot;
<a href="http://example.org/897362094/cards/1"></a>
HTML
assert_equal expected, content
end
test "slack webhook payload html-escapes special characters" do
cards(:logo).update_column(:title, %(Tom & Jerry's <Great> "Adventure"))
webhook = Webhook.create!(
board: boards(:writebook),
name: "Slack",
url: "https://hooks.slack.com/services/T12345678/B12345678/abcdefghijklmnopqrstuvwx" # gitleaks:allow
)
delivery = Webhook::Delivery.create!(webhook: webhook, event: events(:logo_published))
captured_body = nil
stub_request(:post, webhook.url)
.with { |request| captured_body = request.body; true }
.to_return(status: 200)
delivery.deliver
text = JSON.parse(captured_body)["text"]
expected = <<~TEXT.strip
David added &quot;Tom &amp; Jerry&#39;s &lt;Great&gt; &quot;Adventure&quot;&quot; <http://example.com/897362094/cards/1|Open in Fizzy>
TEXT
assert_equal expected, text
end
test "campfire webhook payload html-escapes special characters" do
cards(:logo).update_column(:title, %(Tom & Jerry's <Great> "Adventure"))
webhook = Webhook.create!(
board: boards(:writebook),
name: "Campfire",
url: "https://example.com/rooms/123/456-room-name/messages"
)
delivery = Webhook::Delivery.create!(webhook: webhook, event: events(:logo_published))
captured_body = nil
stub_request(:post, webhook.url)
.with { |request| captured_body = request.body; true }
.to_return(status: 200)
delivery.deliver
expected = <<~HTML.strip
David added &quot;Tom &amp; Jerry&#39;s &lt;Great&gt; &quot;Adventure&quot;&quot;
<a href="http://example.org/897362094/cards/1">↗︎</a>
HTML
assert_equal expected, captured_body
end
test "generic webhook payload json-encodes special characters" do
cards(:logo).update_column(:title, %(Tom & Jerry's <Great> "Adventure"))
webhook = Webhook.create!(
board: boards(:writebook),
name: "Generic",
url: "https://example.com/webhook"
)
delivery = Webhook::Delivery.create!(webhook: webhook, event: events(:logo_published))
captured_body = nil
stub_request(:post, webhook.url)
.with { |request| captured_body = request.body; true }
.to_return(status: 200)
delivery.deliver
json = JSON.parse(captured_body)
assert_equal %(Tom & Jerry's <Great> "Adventure"), json["eventable"]["title"]
end
test "renders creator name when event creator is not current user" do
webhook = Webhook.create!(
board: boards(:writebook),