Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FIX] Encode avatar url to prevent CSS injection #6651

Merged
merged 1 commit into from
Apr 10, 2017
Merged

[FIX] Encode avatar url to prevent CSS injection #6651

merged 1 commit into from
Apr 10, 2017

Conversation

rodrigok
Copy link
Member

@RocketChat/core

@rodrigok rodrigok requested a review from karlprieb April 10, 2017 19:29
@engelgabriel engelgabriel temporarily deployed to rocket-chat-pr-6651 April 10, 2017 19:29 Inactive
engelgabriel
engelgabriel reviewed Apr 10, 2017
View reviewed changes
packages/rocketchat-ui-message/client/message.html
@@ -6,7 +6,7 @@
{{else}}
<button class="thumb user-card-message" data-username="{{u.username}}" tabindex="1">
<div class="avatar">
<div class="avatar-image" style="background-image:url({{avatar}});"></div>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we save the URL encoded on the DB?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can do this in the future, because we will need a migration to do that

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@engelgabriel I don't know now, cuz we save usernames there too, can be a problem

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could do it in the client. The server should reject malformed messages with a proper error code.

@engelgabriel engelgabriel merged commit 0dbff24 into develop Apr 10, 2017
@engelgabriel engelgabriel deleted the hotfix/encode-avatar-url branch April 10, 2017 20:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gronke gronke gronke left review comments

@engelgabriel engelgabriel engelgabriel left review comments

@karlprieb karlprieb karlprieb approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@rodrigok @gronke @engelgabriel @karlprieb