From a859d507e769cf216ad2749122ff5e2cc579c5b8 Mon Sep 17 00:00:00 2001
From: Jarek Radosz <jradosz@gmail.com>
Date: Wed, 17 Jun 2020 12:37:06 +0200
Subject: [PATCH] FIX: Prevent producing "undefined" strings (#10042)

Fixes a bug in search-menu-results (type: "group"), where:

```javascript
const fullName = escapeExpression(group.fullName);
const name = escapeExpression(group.name);
const groupNames = [h("span.name", fullName || name)];
```

`groupNames` could end up having value "undefined" if a group doesn't have a `fullName`.
---
 .../discourse/app/lib/utilities.js            |  4 ++++
 test/javascripts/lib/utilities-test.js        | 22 +++++++++++++++++++
 2 files changed, 26 insertions(+)

diff --git a/app/assets/javascripts/discourse/app/lib/utilities.js b/app/assets/javascripts/discourse/app/lib/utilities.js
index 92fa344134..cee9ce5faf 100644
--- a/app/assets/javascripts/discourse/app/lib/utilities.js
+++ b/app/assets/javascripts/discourse/app/lib/utilities.js
@@ -25,6 +25,10 @@ export function translateSize(size) {
 }
 
 export function escapeExpression(string) {
+  if (!string) {
+    return "";
+  }
+
   // don't escape SafeStrings, since they're already safe
   if (string instanceof Handlebars.SafeString) {
     return string.toString();
diff --git a/test/javascripts/lib/utilities-test.js b/test/javascripts/lib/utilities-test.js
index f3d14a2657..1ac73ec865 100644
--- a/test/javascripts/lib/utilities-test.js
+++ b/test/javascripts/lib/utilities-test.js
@@ -1,5 +1,6 @@
 /* global Int8Array:true */
 import {
+  escapeExpression,
   emailValid,
   extractDomainFromUrl,
   avatarUrl,
@@ -14,9 +15,30 @@ import {
   fillMissingDates,
   inCodeBlock
 } from "discourse/lib/utilities";
+import Handlebars from "handlebars";
 
 QUnit.module("lib:utilities");
 
+QUnit.test("escapeExpression", assert => {
+  assert.equal(
+    escapeExpression(">"),
+    "&gt;",
+    "escapes unsafe characters"
+  );
+
+  assert.equal(
+    escapeExpression(new Handlebars.SafeString("&gt;")),
+    "&gt;",
+    "does not double-escape safe strings"
+  );
+
+  assert.equal(
+    escapeExpression(undefined),
+    "",
+    "returns a falsy string when given a falsy value"
+  );
+});
+
 QUnit.test("emailValid", assert => {
   assert.ok(
     emailValid("Bob@example.com"),