Use the helpers

app/api/server/v1/misc.js

@@ -5,7 +5,6 @@ import { check } from 'meteor/check';
 import { TAPi18n } from 'meteor/rocketchat:tap-i18n';
 import { EJSON } from 'meteor/ejson';
 import { DDPRateLimiter } from 'meteor/ddp-rate-limiter';
-import s from 'underscore.string';
 
 import { hasRole, hasPermission } from '../../../authorization/server';
 import { Info } from '../../../utils/server';
@@ -15,6 +14,7 @@ import { API } from '../api';
 import { getDefaultUserFields } from '../../../utils/server/functions/getDefaultUserFields';
 import { getURL } from '../../../utils/lib/getURL';
 import { StdOut } from '../../../logger/server/streamer';
+import { escapeHTML } from '../../../../lib/escapeHTML';
 
 
 // DEPRECATED
@@ -128,9 +128,9 @@ API.v1.addRoute('shield.svg', { authRequired: false, rateLimiterOptions: { numRe
 		const width = leftSize + rightSize;
 		const height = 20;
 
-		channel = s.escapeHTML(channel);
-		text = s.escapeHTML(text);
-		name = s.escapeHTML(name);
+		channel =	escapeHTML(channel);
+		text = escapeHTML(text);
+		name = escapeHTML(name);
 
 		return {
 			headers: { 'Content-Type': 'image/svg+xml;charset=utf-8' },

app/authentication/server/startup/index.js

@@ -3,7 +3,6 @@ import { Match } from 'meteor/check';
 import { Accounts } from 'meteor/accounts-base';
 import { TAPi18n } from 'meteor/rocketchat:tap-i18n';
 import _ from 'underscore';
-import s from 'underscore.string';
 
 import * as Mailer from '../../../mailer/server/api';
 import { settings } from '../../../settings/server';
@@ -18,6 +17,8 @@ import {
 } from '../lib/restrictLoginAttempts';
 import './settings';
 import { getClientAddress } from '../../../../server/lib/getClientAddress';
+import { escapeHTML } from '../../../../lib/escapeHTML';
+import { escapeRegExp } from '../../../../lib/escapeRegExp';
 
 Accounts.config({
 	forbidClientAccountCreation: true,
@@ -47,9 +48,9 @@ Accounts.emailTemplates.userToActivate = {
 		const email = options.reason ? 'Accounts_Admin_Email_Approval_Needed_With_Reason_Default' : 'Accounts_Admin_Email_Approval_Needed_Default';
 
 		return Mailer.replace(TAPi18n.__(email), {
-			name: s.escapeHTML(options.name),
-			email: s.escapeHTML(options.email),
-			reason: s.escapeHTML(options.reason),
+			name: escapeHTML(options.name),
+			email: escapeHTML(options.email),
+			reason: escapeHTML(options.reason),
 		});
 	},
 };
@@ -69,7 +70,7 @@ Accounts.emailTemplates.userActivated = {
 		const action = active ? activated : 'Deactivated';
 
 		return Mailer.replace(TAPi18n.__(`Accounts_Email_${ action }`), {
-			name: s.escapeHTML(name),
+			name: escapeHTML(name),
 		});
 	},
 };
@@ -121,8 +122,8 @@ Accounts.emailTemplates.enrollAccount.subject = function(user) {
 
 Accounts.emailTemplates.enrollAccount.html = function(user = {}/* , url*/) {
 	return Mailer.replace(enrollAccountTemplate, {
-		name: s.escapeHTML(user.name),
-		email: user.emails && user.emails[0] && s.escapeHTML(user.emails[0].address),
+		name: escapeHTML(user.name),
+		email: user.emails && user.emails[0] && escapeHTML(user.emails[0].address),
 	});
 };
 
@@ -370,15 +371,15 @@ Accounts.validateNewUser(function(user) {
 	}
 
 	let domainWhiteList = settings.get('Accounts_AllowedDomainsList');
-	if (_.isEmpty(s.trim(domainWhiteList))) {
+	if (_.isEmpty(domainWhiteList?.trim())) {
 		return true;
 	}
 
 	domainWhiteList = domainWhiteList.split(',').map((domain) => domain.trim());
 
 	if (user.emails && user.emails.length > 0) {
 		const email = user.emails[0].address;
-		const inWhiteList = domainWhiteList.some((domain) => email.match(`@${ RegExp.escape(domain) }$`));
+		const inWhiteList = domainWhiteList.some((domain) => email.match(`@${ escapeRegExp(domain) }$`));
 
 		if (inWhiteList === false) {
 			throw new Meteor.Error('error-invalid-domain');

app/autotranslate/server/autotranslate.js

@@ -1,12 +1,12 @@
 import { Meteor } from 'meteor/meteor';
 import _ from 'underscore';
-import s from 'underscore.string';
 
 import { settings } from '../../settings';
 import { callbacks } from '../../callbacks';
 import { Subscriptions, Messages } from '../../models';
 import { Markdown } from '../../markdown/server';
 import { Logger } from '../../logger';
+import { escapeHTML } from '../../../lib/escapeHTML';
 
 const Providers = Symbol('Providers');
 const Provider = Symbol('Provider');
@@ -273,7 +273,7 @@ export class AutoTranslate {
 		if (message.msg) {
 			Meteor.defer(() => {
 				let targetMessage = Object.assign({}, message);
-				targetMessage.html = s.escapeHTML(String(targetMessage.msg));
+				targetMessage.html = escapeHTML(String(targetMessage.msg));
 				targetMessage = this.tokenize(targetMessage);
 
 				const translations = this._translateMessage(targetMessage, targetLanguages);

app/channel-settings/client/startup/messageTypes.js

@@ -1,6 +1,6 @@
 import { Meteor } from 'meteor/meteor';
-import s from 'underscore.string';
 
+import { escapeHTML } from '../../../../lib/escapeHTML';
 import { MessageTypes } from '../../../ui-utils';
 import { t } from '../../../utils';
 
@@ -24,7 +24,7 @@ Meteor.startup(function() {
 		data(message) {
 			return {
 				user_by: message.u && message.u.username,
-				room_topic: s.escapeHTML(message.msg || `(${ t('None').toLowerCase() })`),
+				room_topic: escapeHTML(message.msg || `(${ t('None').toLowerCase() })`),
 			};
 		},
 	});
@@ -48,7 +48,7 @@ Meteor.startup(function() {
 		data(message) {
 			return {
 				user_by: message.u && message.u.username,
-				room_announcement: s.escapeHTML(message.msg || `(${ t('None').toLowerCase() })`),
+				room_announcement: escapeHTML(message.msg || `(${ t('None').toLowerCase() })`),
 			};
 		},
 	});
@@ -60,7 +60,7 @@ Meteor.startup(function() {
 		data(message) {
 			return {
 				user_by: message.u && message.u.username,
-				room_description: s.escapeHTML(message.msg || `(${ t('None').toLowerCase() })`),
+				room_description: escapeHTML(message.msg || `(${ t('None').toLowerCase() })`),
 			};
 		},
 	});

app/katex/client/index.js

@@ -3,6 +3,8 @@ import { Tracker } from 'meteor/tracker';
 import _ from 'underscore';
 import s from 'underscore.string';
 
+import { escapeHTML } from '../../../lib/escapeHTML';
+import { unescapeHTML } from '../../../lib/unescapeHTML';
 import { callbacks } from '../../callbacks';
 import { settings } from '../../settings';
 
@@ -109,7 +111,7 @@ class Katex {
 		const before = str.substr(0, match.outer.start);
 		const after = str.substr(match.outer.end);
 		let latex = match.inner.extract(str);
-		latex = s.unescapeHTML(latex);
+		latex = unescapeHTML(latex);
 		return {
 			before,
 			latex,
@@ -129,7 +131,7 @@ class Katex {
 			});
 		} catch ({ message }) {
 			return `<div class="katex-error katex-${ displayMode ? 'block' : 'inline' }-error">`
-				+ `${ s.escapeHTML(message) }</div>`;
+				+ `${ escapeHTML(message) }</div>`;
 		}
 	}
 

app/lib/server/functions/notifications/email.js

@@ -8,6 +8,7 @@ import { roomTypes } from '../../../../utils';
 import { metrics } from '../../../../metrics';
 import { callbacks } from '../../../../callbacks';
 import { getURL } from '../../../../utils/server';
+import { escapeHTML } from '../../../../../lib/escapeHTML';
 
 let advice = '';
 let goToMessage = '';
@@ -23,8 +24,8 @@ Meteor.startup(() => {
 function getEmailContent({ message, user, room }) {
 	const lng = (user && user.language) || settings.get('Language') || 'en';
 
-	const roomName = s.escapeHTML(`#${ roomTypes.getRoomName(room.t, room) }`);
-	const userName = s.escapeHTML(settings.get('UI_Use_Real_Name') ? message.u.name || message.u.username : message.u.username);
+	const roomName = escapeHTML(`#${ roomTypes.getRoomName(room.t, room) }`);
+	const userName = escapeHTML(settings.get('UI_Use_Real_Name') ? message.u.name || message.u.username : message.u.username);
 
 	const roomType = roomTypes.getConfig(room.t);
 
@@ -39,7 +40,7 @@ function getEmailContent({ message, user, room }) {
 			return header;
 		}
 
-		let messageContent = s.escapeHTML(message.msg);
+		let messageContent = escapeHTML(message.msg);
 
 		if (message.t === 'e2e') {
 			messageContent = TAPi18n.__('Encrypted_message', { lng });
@@ -66,10 +67,10 @@ function getEmailContent({ message, user, room }) {
 			return fileHeader;
 		}
 
-		let content = `${ s.escapeHTML(message.file.name) }`;
+		let content = `${ escapeHTML(message.file.name) }`;
 
 		if (message.attachments && message.attachments.length === 1 && message.attachments[0].description !== '') {
-			content += `<br/><br/>${ s.escapeHTML(message.attachments[0].description) }`;
+			content += `<br/><br/>${ escapeHTML(message.attachments[0].description) }`;
 		}
 
 		return `${ fileHeader }:<br/><br/>${ content }`;
@@ -85,10 +86,10 @@ function getEmailContent({ message, user, room }) {
 		let content = '';
 
 		if (attachment.title) {
-			content += `${ s.escapeHTML(attachment.title) }<br/>`;
+			content += `${ escapeHTML(attachment.title) }<br/>`;
 		}
 		if (attachment.text) {
-			content += `${ s.escapeHTML(attachment.text) }<br/>`;
+			content += `${ escapeHTML(attachment.text) }<br/>`;
 		}
 
 		return `${ header }:<br/><br/>${ content }`;

app/lib/server/functions/saveUser.js

@@ -11,6 +11,7 @@ import { passwordPolicy } from '../lib/passwordPolicy';
 import { validateEmailDomain } from '../lib';
 import { validateUserRoles } from '../../../../ee/app/authorization/server/validateUserRoles';
 import { saveUserIdentity } from './saveUserIdentity';
+import { escapeHTML } from '../../../../lib/escapeHTML';
 
 import { checkEmailAvailability, checkUsernameAvailability, setUserAvatar, setEmail, setStatusText } from '.';
 
@@ -33,13 +34,13 @@ function _sendUserEmail(subject, html, userData) {
 		subject,
 		html,
 		data: {
-			email: s.escapeHTML(userData.email),
-			password: s.escapeHTML(userData.password),
+			email: escapeHTML(userData.email),
+			password: escapeHTML(userData.password),
 		},
 	};
 
 	if (typeof userData.name !== 'undefined') {
-		email.data.name = s.escapeHTML(userData.name);
+		email.data.name = escapeHTML(userData.name);
 	}
 
 	try {

app/lib/server/functions/setEmail.js

@@ -6,6 +6,7 @@ import { hasPermission } from '../../../authorization';
 import { RateLimiter, validateEmailDomain } from '../lib';
 import * as Mailer from '../../../mailer';
 import { settings } from '../../../settings';
+import { escapeHTML } from '../../../../lib/escapeHTML';
 
 import { checkEmailAvailability } from '.';
 
@@ -24,7 +25,7 @@ const _sendEmailChangeNotification = function(to, newEmail) {
 		subject,
 		html,
 		data: {
-			email: s.escapeHTML(newEmail),
+			email: escapeHTML(newEmail),
 		},
 	};
 

app/mail-messages/server/functions/sendMail.js

@@ -1,10 +1,10 @@
 import { Meteor } from 'meteor/meteor';
 import { EJSON } from 'meteor/ejson';
 import { FlowRouter } from 'meteor/kadira:flow-router';
-import s from 'underscore.string';
 
 import { placeholders } from '../../../utils';
 import * as Mailer from '../../../mailer';
+import { escapeHTML } from '../../../../lib/escapeHTML';
 
 export const sendMail = function(from, subject, body, dryrun, query) {
 	Mailer.checkAddressFormatAndThrow(from, 'Mailer.sendMail');
@@ -51,8 +51,8 @@ export const sendMail = function(from, subject, body, dryrun, query) {
 					_id: user._id,
 					createdAt: user.createdAt.getTime(),
 				})),
-				name: s.escapeHTML(user.name),
-				email: s.escapeHTML(email),
+				name: escapeHTML(user.name),
+				email: escapeHTML(email),
 			});
 			console.log(`Sending email to ${ email }`);
 			return Mailer.send({

app/mailer/server/api.js

@@ -7,6 +7,7 @@ import juice from 'juice';
 import stripHtml from 'string-strip-html';
 
 import { settings } from '../../settings/server';
+import { escapeHTML } from '../../../lib/escapeHTML';
 
 let contentHeader;
 let contentFooter;
@@ -23,7 +24,7 @@ settings.get('Language', (key, value) => {
 	lng = value || 'en';
 });
 
-export const replacekey = (str, key, value = '') => str.replace(new RegExp(`(\\[${ key }\\]|__${ key }__)`, 'igm'), s.escapeHTML(value));
+export const replacekey = (str, key, value = '') => str.replace(new RegExp(`(\\[${ key }\\]|__${ key }__)`, 'igm'), escapeHTML(value));
 export const translate = (str) => str.replace(/\{ ?([^\} ]+)(( ([^\}]+))+)? ?\}/gmi, (match, key) => TAPi18n.__(key, { lng }));
 export const replace = function replace(str, data = {}) {
 	if (!str) {
@@ -45,10 +46,10 @@ export const replace = function replace(str, data = {}) {
 const nonEscapeKeys = ['room_path'];
 
 export const replaceEscaped = (str, data = {}) => replace(str, {
-	Site_Name: s.escapeHTML(settings.get('Site_Name')),
-	Site_Url: s.escapeHTML(settings.get('Site_Url')),
+	Site_Name: escapeHTML(settings.get('Site_Name')),
+	Site_Url: escapeHTML(settings.get('Site_Url')),
 	...Object.entries(data).reduce((ret, [key, value]) => {
-		ret[key] = nonEscapeKeys.includes(key) ? value : s.escapeHTML(value);
+		ret[key] = nonEscapeKeys.includes(key) ? value : escapeHTML(value);
 		return ret;
 	}, {}),
 });

app/markdown/lib/markdown.js

@@ -6,12 +6,13 @@ import s from 'underscore.string';
 import { Meteor } from 'meteor/meteor';
 import { Blaze } from 'meteor/blaze';
 
-import { marked } from './parser/marked/marked.js';
-import { original } from './parser/original/original.js';
-import { filtered } from './parser/filtered/filtered.js';
-import { code } from './parser/original/code.js';
+import { marked } from './parser/marked/marked';
+import { original } from './parser/original/original';
+import { filtered } from './parser/filtered/filtered';
+import { code } from './parser/original/code';
 import { callbacks } from '../../callbacks';
 import { settings } from '../../settings';
+import { escapeHTML } from '../../../lib/escapeHTML';
 
 const parsers = {
 	original,
@@ -22,7 +23,7 @@ const parsers = {
 class MarkdownClass {
 	parse(text) {
 		const message = {
-			html: s.escapeHTML(text),
+			html: escapeHTML(text),
 		};
 		return this.mountTokensBack(this.parseMessageNotEscaped(message)).html;
 	}

app/markdown/lib/parser/marked/marked.js

@@ -1,10 +1,11 @@
 import { Random } from 'meteor/random';
 import _ from 'underscore';
-import s from 'underscore.string';
 import _marked from 'marked';
 
 import hljs from '../../hljs';
 import { settings } from '../../../../settings';
+import { escapeHTML } from '../../../../../lib/escapeHTML';
+import { unescapeHTML } from '../../../../../lib/unescapeHTML';
 
 const renderer = new _marked.Renderer();
 
@@ -22,9 +23,9 @@ renderer.code = function(code, lang, escaped) {
 	let text = null;
 
 	if (!lang) {
-		text = `<pre><code class="code-colors hljs">${ escaped ? code : s.escapeHTML(code, true) }</code></pre>`;
+		text = `<pre><code class="code-colors hljs">${ escaped ? code : escapeHTML(code, true) }</code></pre>`;
 	} else {
-		text = `<pre><code class="code-colors hljs ${ escape(lang, true) }">${ escaped ? code : s.escapeHTML(code, true) }</code></pre>`;
+		text = `<pre><code class="code-colors hljs ${ escape(lang, true) }">${ escaped ? code : escapeHTML(code, true) }</code></pre>`;
 	}
 
 	if (_.isString(msg)) {
@@ -99,7 +100,7 @@ export const marked = (message) => {
 	if (smartLists == null) { smartLists = settings.get('Markdown_Marked_SmartLists'); }
 	if (smartypants == null) { smartypants = settings.get('Markdown_Marked_Smartypants'); }
 
-	msg.html = _marked(s.unescapeHTML(msg.html), {
+	msg.html = _marked(unescapeHTML(msg.html), {
 		gfm,
 		tables,
 		breaks,