fix: escaping in action rule templating

[UnderKoen]

When having a value that uses for example & or < it is escaped. We don't render the content as plain html so this is not needed.

Testcase:

• have a rule that just sets notes to template {{notes}}
• Create a transaction with & in the name notice the escape

[netlify]

✅ Deploy Preview for actualbudget ready!

Name	Link
🔨 Latest commit	31da568
🔍 Latest deploy log	https://app.netlify.com/sites/actualbudget/deploys/67096325f536fc00082d83ac
😎 Deploy Preview	https://deploy-preview-3632.demo.actualbudget.org
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[github-actions]

Bundle Stats — desktop-client

Hey there, this message comes from a GitHub action that helps you and reviewers to understand how these changes affect the size of this project's bundle.

As this PR is updated, I'll keep you updated on how the bundle size is impacted.

Total

Files count	Total bundle size	% Changed
9	5.34 MB	0%

Changeset

No files were changed

View detailed bundle breakdown

Added

No assets were added

Removed

No assets were removed

Bigger

No assets were bigger

Smaller

No assets were smaller

Unchanged

Asset	File Size	% Changed
static/js/usePreviewTransactions.js	1.64 kB	0%
static/js/BackgroundImage.js	122.29 kB	0%
static/js/indexeddb-main-thread-worker-e59fee74.js	13.5 kB	0%
static/js/resize-observer.js	18.37 kB	0%
static/js/AppliedFilters.js	20.96 kB	0%
static/js/narrow.js	82.55 kB	0%
static/js/wide.js	242.95 kB	0%
static/js/ReportRouter.js	1.51 MB	0%
static/js/index.js	3.34 MB	0%

[github-actions]

Bundle Stats — loot-core

Hey there, this message comes from a GitHub action that helps you and reviewers to understand how these changes affect the size of this project's bundle.

As this PR is updated, I'll keep you updated on how the bundle size is impacted.

Total

Files count	Total bundle size	% Changed
1	1.26 MB → 1.26 MB (+14 B)	+0.00%

Changeset

File	Δ	Size
packages/loot-core/src/server/accounts/rules.ts	📈 +56 B (+0.17%)	33.11 kB → 33.17 kB

View detailed bundle breakdown

Added

No assets were added

Removed

No assets were removed

Bigger

Asset	File Size	% Changed
kcab.worker.js	1.26 MB → 1.26 MB (+14 B)	+0.00%

Smaller

No assets were smaller

Unchanged

No assets were unchanged

[coderabbitai]

Walkthrough

The pull request introduces a new test case in the Action class within the packages/loot-core/src/server/accounts/rules.test.ts file, specifically targeting the behavior of the set operator when the template is set to {{notes}}. This test case ensures that text is not escaped and is directly assigned to the notes field, preserving the original note with special characters. Additionally, modifications are made to the Action class in packages/loot-core/src/server/accounts/rules.ts, where the constructor is updated to include a noEscape: true option in the Handlebars.compile method. This change allows templates to be compiled without escaping, affecting how templates are processed and rendered. Minor adjustments to comments and formatting are also included, but they do not alter the core functionality of the code.

Possibly related PRs

• feat(rules): templating actions #3305: Introduces templating actions within rules, enhancing the Action class's templating capabilities, including the handling of the set operator.
• fix creating rule from transaction #3539: Focuses on fixing the rule creation process from transactions, indirectly related as both involve management and execution of rules utilizing templating features.

Suggested labels

sparkles: Merged

Suggested reviewers

• youngcw
• matt-fidd

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between f9c08a9 and 0cead09.

⛔ Files ignored due to path filters (1)

• upcoming-release-notes/3632.md is excluded by !**/*.md

📒 Files selected for processing (2)

• packages/loot-core/src/server/accounts/rules.test.ts (1 hunks)
• packages/loot-core/src/server/accounts/rules.ts (1 hunks)

🧰 Additional context used

🔇 Additional comments (2)

packages/loot-core/src/server/accounts/rules.test.ts (1)

330-338: LGTM! The new test case effectively verifies the non-escaping behavior.

The added test case correctly checks that special characters in the notes are preserved when using the set operator with a template. This aligns well with the PR objective of fixing escaping in action rule templating.

packages/loot-core/src/server/accounts/rules.ts (1)

568-570: LGTM! This change addresses the escaping issue in action rule templating.

The addition of noEscape: true option to Handlebars.compile method prevents automatic HTML escaping in the template output. This modification aligns with the PR objective and resolves the issue of unnecessary escaping of characters like & and < in the template output.

Given that the content is not rendered as plain HTML, this change doesn't introduce any apparent security risks while solving the reported problem.

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[matt-fidd]

Thanks for this!