[FIX] Encode avatar url to prevent CSS injection

8 years ago · e44e612557
parent 557f617a18
commit e44e612557
2 changed files with 3 additions and 1 deletions
--- a/packages/rocketchat-ui-message/client/message.coffee
+++ b/packages/rocketchat-ui-message/client/message.coffee
@ -1,6 +1,8 @@
 import moment from 'moment'

 Template.message.helpers
+	encodeURI: (text) ->
+		return encodeURI(text)
 	isBot: ->
 		return 'bot' if this.bot?
 	roleTags: ->
--- a/packages/rocketchat-ui-message/client/message.html
+++ b/packages/rocketchat-ui-message/client/message.html
@ -6,7 +6,7 @@
 			{{else}}
 				<button class="thumb user-card-message" data-username="{{u.username}}" tabindex="1">
 					<div class="avatar">
-						<div class="avatar-image" style="background-image:url({{avatar}});"></div>
+						<div class="avatar-image" style="background-image:url({{encodeURI avatar}});"></div>
 					</div>
 				</button>
 			{{/if}}