diff --git a/src/messaging/index.js b/src/messaging/index.js index 8881d41b2a..7c810ec6d8 100644 --- a/src/messaging/index.js +++ b/src/messaging/index.js @@ -248,8 +248,8 @@ Messaging.generateUsernames = function (room, excludeUid) { Messaging.generateChatWithMessage = async function (room, callerUid, userLang) { const users = room.users.filter(u => u && parseInt(u.uid, 10) !== callerUid); const usernames = users.map(u => (utils.isNumber(u.uid) ? - `${u.displayname}` : - `${u.displayname}`)); + `${validator.escape(String(u.displayname))}` : + `${validator.escape(String(u.displayname))}`)); let compiled; if (!users.length) { return '[[modules:chat.no-users-in-room]]'; diff --git a/test/messaging.js b/test/messaging.js index 88d3e82033..4e2e709007 100644 --- a/test/messaging.js +++ b/test/messaging.js @@ -562,6 +562,27 @@ describe('Messaging Library', () => { assert.equal(rooms[0].teaser.content, '<svg/onload=alert(document.location);'); }); + it('should escape chatWithMessage', async () => { + const oldValue = meta.config.showFullnameAsDisplayName; + meta.config.showFullnameAsDisplayName = true; + + const uid = await User.create({ username: 'escapedsender', fullname: '<svg/onload=alert(document.location);` + ); + + meta.config.showFullnameAsDisplayName = oldValue; + }); + it('should fail to check if user has private chat with invalid data', async () => { await assert.rejects( api.users.getPrivateRoomId({ uid: null }, undefined),