From 94cdfe1e64862f6d470f4750c79be31ad77735fe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?P=C4=93teris=20Caune?= <cuu508@gmail.com>
Date: Fri, 12 May 2017 11:15:23 +0300
Subject: [PATCH] Check.schedule contains user input and needs to be escaped.

---
 hc/api/tests/test_notify.py               | 12 ++++++++++++
 templates/integrations/slack_message.json |  2 +-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/hc/api/tests/test_notify.py b/hc/api/tests/test_notify.py
index 3e9c9c87..d9ab80d5 100644
--- a/hc/api/tests/test_notify.py
+++ b/hc/api/tests/test_notify.py
@@ -205,6 +205,18 @@ class NotifyTestCase(BaseTestCase):
         n = Notification.objects.get()
         self.assertEqual(n.error, "Connection timed out")
 
+    @patch("hc.api.transports.requests.request")
+    def test_slack_with_tabs_in_schedule(self, mock_post):
+        self._setup_data("slack", "123")
+        self.check.kind = "cron"
+        self.check.schedule = "*\t* * * *"
+        self.check.save()
+        mock_post.return_value.status_code = 200
+
+        self.channel.notify(self.check)
+        self.assertEqual(Notification.objects.count(), 1)
+        self.assertTrue(mock_post.called)
+
     @patch("hc.api.transports.requests.request")
     def test_hipchat(self, mock_post):
         self._setup_data("hipchat", "123")
diff --git a/templates/integrations/slack_message.json b/templates/integrations/slack_message.json
index e55ce3d8..905a4d41 100644
--- a/templates/integrations/slack_message.json
+++ b/templates/integrations/slack_message.json
@@ -20,7 +20,7 @@
                 },
             {% elif check.kind == "cron" %}
                 {"title": "Schedule",
-                 "value": "{{ check.schedule }}",
+                 "value": "{{ check.schedule|escapejs }}",
                  "short": true
                 },
             {% endif %}