Escape HTML in commit titles (#115)

* Escape HTML in commit title while generating changelogs Do not escape HTML if the user is applying a custom hook on the changelogs * Fix lockfile * Fixed comment * Removed semicolons
vercel · Jan 16, 2018 · 2e66623 · 2e66623
1 parent 9da1d60
commit 2e66623
Show file tree

Hide file tree

Showing 5 changed files with 125 additions and 3,602 deletions.
diff --git a/bin/release.js b/bin/release.js
@@ -244,7 +244,7 @@ const orderCommits = async (commits, tags, exists) => {
 
   const results = Object.assign({}, predefined, answers)
   const grouped = groupChanges(results, changeTypes)
-  const changes = await createChangelog(grouped, commits, changeTypes)
+  const changes = await createChangelog(grouped, commits, changeTypes, flags.hook)
 
   let { credits, changelog } = changes
 

diff --git a/lib/changelog.js b/lib/changelog.js
@@ -17,7 +17,7 @@ const getAuthor = async ({ author }) => {
   return username
 }
 
-module.exports = async (types, commits, changeTypes) => {
+module.exports = async (types, commits, changeTypes, filteringWithHook) => {
   let text = ''
   const credits = new Set()
 
@@ -44,7 +44,14 @@ module.exports = async (types, commits, changeTypes) => {
     const lastChange = changes[changes.length - 1]
 
     for (const change of changes) {
-      const changeDetails = await pickCommit(change, commits.all, changeTypes)
+      const changeDetails = await pickCommit(
+        change,
+        commits.all,
+        changeTypes,
+        // Do not escape HTML from commit title
+        // if a custom hook is being used
+        !filteringWithHook
+      )
 
       if (changeDetails.text) {
         text += changeDetails.text

diff --git a/lib/pick-commit.js b/lib/pick-commit.js
@@ -1,5 +1,6 @@
 // Packages
 const capitalize = require('capitalize')
+const escapeGoat = require('escape-goat')
 
 // Utilities
 const connect = require('./connect')
@@ -35,7 +36,7 @@ const forPullRequest = async number => {
   return false
 }
 
-const cleanCommitTitle = (title, changeTypes) => {
+const cleanCommitTitle = (title, changeTypes, doEscapeHTML) => {
   const toReplace = {
     type: definitions.type(title, changeTypes),
     ref: definitions.reference(title)
@@ -53,14 +54,18 @@ const cleanCommitTitle = (title, changeTypes) => {
     }
   }
 
+  if (doEscapeHTML) {
+    title = escapeGoat.escape(title)
+  }
+
   return {
     content: capitalize(title).trim(),
     ref: toReplace.ref
   }
 }
 
-module.exports = async ({ hash, message }, all, changeTypes) => {
-  const title = cleanCommitTitle(message, changeTypes)
+module.exports = async ({ hash, message }, all, changeTypes, doEscapeHTML) => {
+  const title = cleanCommitTitle(message, changeTypes, doEscapeHTML)
   let credits = []
 
   if (title.ref) {