fixup! fix: escape error.message on login failure

Author: jsjoeio

src/node/util.ts

@@ -521,5 +521,5 @@ export function escapeHtml(unsafe: string): string {
     .replace(/</g, "&lt;")
     .replace(/>/g, "&gt;")
     .replace(/"/g, "&quot;")
-    .replace(/'/g, "&#039;")
+    .replace(/'/g, "&apos;")
 }

test/unit/node/util.test.ts

@@ -437,8 +437,8 @@ describe("onLine", () => {
 
 describe("escapeHtml", () => {
   it("should escape HTML", () => {
-    expect(util.escapeHtml(`<div class="error">"Hello & world"</div>`)).toBe(
-      "&lt;div class=&quot;error&quot;&gt;&quot;Hello &amp; world&quot;&lt;/div&gt;",
+    expect(util.escapeHtml(`<div class="error">"'ello & world"</div>`)).toBe(
+      "&lt;div class=&quot;error&quot;&gt;&quot;&apos;ello &amp; world&quot;&lt;/div&gt;",
     )
   })
 })

test/unit/routes/login.test.ts

@@ -60,18 +60,14 @@ describe("login", () => {
       process.env.PASSWORD = previousEnvPassword
     })
 
-    it("should return escaped HTML with 'Missing password' message", async () => {
+    it("should return HTML with 'Missing password' message", async () => {
       const resp = await codeServer().fetch("/login", { method: "POST" })
 
       expect(resp.status).toBe(200)
 
       const htmlContent = await resp.text()
 
-      expect(htmlContent).not.toContain(">")
-      expect(htmlContent).not.toContain("<")
-      expect(htmlContent).not.toContain('"')
-      expect(htmlContent).not.toContain("'")
-      expect(htmlContent).toContain("&lt;div class=&quot;error&quot;&gt;Missing password&lt;/div&gt;")
+      expect(htmlContent).toContain("Missing password")
     })
   })
 })