Check.schedule contains user input and needs to be escaped.

hc/api/tests/test_notify.py

@@ -205,6 +205,18 @@ class NotifyTestCase(BaseTestCase):
         n = Notification.objects.get()
         self.assertEqual(n.error, "Connection timed out")
 
+    @patch("hc.api.transports.requests.request")
+    def test_slack_with_tabs_in_schedule(self, mock_post):
+        self._setup_data("slack", "123")
+        self.check.kind = "cron"
+        self.check.schedule = "*\t* * * *"
+        self.check.save()
+        mock_post.return_value.status_code = 200
+
+        self.channel.notify(self.check)
+        self.assertEqual(Notification.objects.count(), 1)
+        self.assertTrue(mock_post.called)
+
     @patch("hc.api.transports.requests.request")
     def test_hipchat(self, mock_post):
         self._setup_data("hipchat", "123")

templates/integrations/slack_message.json

@@ -20,7 +20,7 @@
                 },
             {% elif check.kind == "cron" %}
                 {"title": "Schedule",
-                 "value": "{{ check.schedule }}",
+                 "value": "{{ check.schedule|escapejs }}",
                  "short": true
                 },
             {% endif %}