[FIX] Encode avatar url to prevent CSS injection

pull/6651/head
Rodrigo Nascimento 8 years ago
parent 557f617a18
commit e44e612557
  1. 2
      packages/rocketchat-ui-message/client/message.coffee
  2. 2
      packages/rocketchat-ui-message/client/message.html

@ -1,6 +1,8 @@
import moment from 'moment'
Template.message.helpers
encodeURI: (text) ->
return encodeURI(text)
isBot: ->
return 'bot' if this.bot?
roleTags: ->

@ -6,7 +6,7 @@
{{else}}
<button class="thumb user-card-message" data-username="{{u.username}}" tabindex="1">
<div class="avatar">
<div class="avatar-image" style="background-image:url({{avatar}});"></div>
<div class="avatar-image" style="background-image:url({{encodeURI avatar}});"></div>
</div>
</button>
{{/if}}

Loading…
Cancel
Save