fix(msteams): decode & last in stripHtmlFromTeamsMessage to avoid… · openclaw/openclaw@80bd000
ly-wang19
·
2026-06-24
·
via Recent Commits to openclaw:main
| Original file line number | Diff line number | Diff line change |
|---|
@@ -37,6 +37,15 @@ describe("stripHtmlFromTeamsMessage", () => {
|
37 | 37 | ); |
38 | 38 | }); |
39 | 39 | |
| 40 | +it("does not double-decode escaped entities (decodes & last)", () => { |
| 41 | +// Graph encodes literally-typed entity text by escaping its '&' to '&'. |
| 42 | +// Decoding '&' first would re-decode the now-bare '<'/'>' into |
| 43 | +// angle brackets, corrupting the user's literal text. |
| 44 | +expect(stripHtmlFromTeamsMessage("The token is &lt;APIKEY&gt;")).toBe( |
| 45 | +"The token is <APIKEY>", |
| 46 | +); |
| 47 | +}); |
| 48 | + |
40 | 49 | it("normalizes multiple whitespace to single space", () => { |
41 | 50 | expect(stripHtmlFromTeamsMessage("hello world")).toBe("hello world"); |
42 | 51 | }); |
|
| Original file line number | Diff line number | Diff line change |
|---|
@@ -35,14 +35,16 @@ export function stripHtmlFromTeamsMessage(html: string): string {
|
35 | 35 | let text = html.replace(/<at[^>]*>(.*?)<\/at>/gi, "@$1"); |
36 | 36 | // Strip remaining HTML tags. |
37 | 37 | text = text.replace(/<[^>]*>/g, " "); |
38 | | -// Decode common HTML entities. |
| 38 | +// Decode common HTML entities. & must be decoded LAST to prevent |
| 39 | +// double-decoding (e.g. &lt; → < not <), matching decodeHtmlEntities |
| 40 | +// in inbound.ts. |
39 | 41 | text = text |
40 | | -.replace(/&/g, "&") |
41 | 42 | .replace(/</g, "<") |
42 | 43 | .replace(/>/g, ">") |
43 | 44 | .replace(/"/g, '"') |
44 | 45 | .replace(/'/g, "'") |
45 | | -.replace(/ /g, " "); |
| 46 | +.replace(/ /g, " ") |
| 47 | +.replace(/&/g, "&"); |
46 | 48 | // Normalize whitespace. |
47 | 49 | return text.replace(/\s+/g, " ").trim(); |
48 | 50 | } |
|
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。