From d40f7060769abb5867bece0f8452eea94bb5dd64 Mon Sep 17 00:00:00 2001 From: Asheesh Laroia Date: Wed, 7 Sep 2016 11:23:30 -0700 Subject: [PATCH] HTML-escape username when storing in Meteor Errors --- packages/rocketchat-lib/server/methods/setUsername.coffee | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/packages/rocketchat-lib/server/methods/setUsername.coffee b/packages/rocketchat-lib/server/methods/setUsername.coffee index 4031056c91d..3438c74b2f1 100644 --- a/packages/rocketchat-lib/server/methods/setUsername.coffee +++ b/packages/rocketchat-lib/server/methods/setUsername.coffee @@ -20,15 +20,15 @@ Meteor.methods nameValidation = new RegExp '^[0-9a-zA-Z-_.]+$' if not nameValidation.test username - throw new Meteor.Error 'username-invalid', "#{username} is not a valid username, use only letters, numbers, dots, hyphens and underscores" + throw new Meteor.Error 'username-invalid', "#{_.escape(username)} is not a valid username, use only letters, numbers, dots, hyphens and underscores" if user.username != undefined if not username.toLowerCase() == user.username.toLowerCase() if not RocketChat.checkUsernameAvailability username - throw new Meteor.Error 'error-field-unavailable', "" + username + " is already in use :(", { method: 'setUsername', field: username } + throw new Meteor.Error 'error-field-unavailable', "" + _.escape(username) + " is already in use :(", { method: 'setUsername', field: username } else if not RocketChat.checkUsernameAvailability username - throw new Meteor.Error 'error-field-unavailable', "" + username + " is already in use :(", { method: 'setUsername', field: username } + throw new Meteor.Error 'error-field-unavailable', "" + _.escape(username) + " is already in use :(", { method: 'setUsername', field: username } unless RocketChat.setUsername user._id, username throw new Meteor.Error 'error-could-not-change-username', "Could not change username", { method: 'setUsername' }