From 64a072c92b1f67e5e4328ab18fe529a86a7d0875 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?= Date: Fri, 27 Feb 2026 00:19:17 -0500 Subject: [PATCH] fix: escape fullname in chatWithMessage --- src/messaging/index.js | 4 ++-- test/messaging.js | 21 +++++++++++++++++++++ 2 files changed, 23 insertions(+), 2 deletions(-) diff --git a/src/messaging/index.js b/src/messaging/index.js index 8881d41b2a..7c810ec6d8 100644 --- a/src/messaging/index.js +++ b/src/messaging/index.js @@ -248,8 +248,8 @@ Messaging.generateUsernames = function (room, excludeUid) { Messaging.generateChatWithMessage = async function (room, callerUid, userLang) { const users = room.users.filter(u => u && parseInt(u.uid, 10) !== callerUid); const usernames = users.map(u => (utils.isNumber(u.uid) ? - `${u.displayname}` : - `${u.displayname}`)); + `${validator.escape(String(u.displayname))}` : + `${validator.escape(String(u.displayname))}`)); let compiled; if (!users.length) { return '[[modules:chat.no-users-in-room]]'; diff --git a/test/messaging.js b/test/messaging.js index 88d3e82033..4e2e709007 100644 --- a/test/messaging.js +++ b/test/messaging.js @@ -562,6 +562,27 @@ describe('Messaging Library', () => { assert.equal(rooms[0].teaser.content, '<svg/onload=alert(document.location);'); }); + it('should escape chatWithMessage', async () => { + const oldValue = meta.config.showFullnameAsDisplayName; + meta.config.showFullnameAsDisplayName = true; + + const uid = await User.create({ username: 'escapedsender', fullname: '<svg/onload=alert(document.location);` + ); + + meta.config.showFullnameAsDisplayName = oldValue; + }); + it('should fail to check if user has private chat with invalid data', async () => { await assert.rejects( api.users.getPrivateRoomId({ uid: null }, undefined),