Save room topic escaped

a26d955a · Diego Sampaio · 1a280b9c · a26d955a · a26d955a · a26d955a
Commit a26d955a authored 8 years ago by Diego Sampaio
--- a/packages/rocketchat-api/server/routes.coffee
+++ b/packages/rocketchat-api/server/routes.coffee
@@ -79,7 +79,7 @@ RocketChat.API.v1.addRoute 'channels.setTopic', authRequired: true,
 		unless RocketChat.authz.hasPermission(@userId, 'edit-room', @bodyParams.channel)
 			return RocketChat.API.v1.unauthorized()

-		if not RocketChat.saveRoomTopic(@bodyParams.channel, @bodyParams.topic)
+		if not RocketChat.saveRoomTopic(@bodyParams.channel, @bodyParams.topic, @user)
 			return RocketChat.API.v1.failure 'invalid_channel'

 		return RocketChat.API.v1.success

--- a/packages/rocketchat-channel-settings/client/views/channelSettings.coffee
+++ b/packages/rocketchat-channel-settings/client/views/channelSettings.coffee
@@ -20,7 +20,9 @@ Template.channelSettings.helpers
 	roomName: ->
 		return ChatRoom.findOne(@rid, { fields: { name: 1 }})?.name
 	roomTopic: ->
-		return s.escapeHTML ChatRoom.findOne(@rid, { fields: { topic: 1 }})?.topic
+		return ChatRoom.findOne(@rid, { fields: { topic: 1 }})?.topic
+	roomTopicUnescaped: ->
+		return s.unescapeHTML ChatRoom.findOne(@rid, { fields: { topic: 1 }})?.topic
 	archivationState: ->
 		return ChatRoom.findOne(@rid, { fields: { archived: 1 }})?.archived
 	archivationStateDescription: ->

--- a/packages/rocketchat-channel-settings/client/views/channelSettings.html
+++ b/packages/rocketchat-channel-settings/client/views/channelSettings.html
@@ -22,7 +22,7 @@
 						<label>{{_ "Topic"}}</label>
 						<div>
 							{{#if editing 'roomTopic'}}
-								<input type="text" name="roomTopic" value="{{roomTopic}}" class="editing" /> <button type="button" class="button secondary cancel">{{_ "Cancel"}}</button> <button type="button" class="button primary save">{{_ "Save"}}</button>
+								<input type="text" name="roomTopic" value="{{roomTopicUnescaped}}" class="editing" /> <button type="button" class="button secondary cancel">{{_ "Cancel"}}</button> <button type="button" class="button primary save">{{_ "Save"}}</button>
 							{{else}}
 								<span>{{{RocketChatMarkdown roomTopic}}}{{#if canEdit}} <i class="icon-pencil" data-edit="roomTopic"></i>{{/if}}</span>
 							{{/if}}

--- a/packages/rocketchat-channel-settings/server/functions/saveRoomTopic.coffee
+++ b/packages/rocketchat-channel-settings/server/functions/saveRoomTopic.coffee
-RocketChat.saveRoomTopic = (rid, roomTopic) ->
+RocketChat.saveRoomTopic = (rid, roomTopic, user) ->
 	unless Match.test rid, String
 		throw new Meteor.Error 'invalid-room', 'Invalid room', { function: 'RocketChat.saveRoomTopic' }

-	return RocketChat.models.Rooms.setTopicById(rid, roomTopic)
+	roomTopic = s.escapeHTML(roomTopic)
+
+	update = RocketChat.models.Rooms.setTopicById(rid, roomTopic)
+
+	RocketChat.models.Messages.createRoomSettingsChangedWithTypeRoomIdMessageAndUser 'room_changed_topic', rid, roomTopic, user
+
+	return update
--- a/packages/rocketchat-channel-settings/server/methods/saveRoomSettings.coffee
+++ b/packages/rocketchat-channel-settings/server/methods/saveRoomSettings.coffee
@@ -20,11 +20,10 @@ Meteor.methods
 					RocketChat.models.Messages.createRoomRenamedWithRoomIdRoomNameAndUser rid, name, Meteor.user()
 				when 'roomTopic'
 					if value isnt room.topic
-						RocketChat.saveRoomTopic(rid, value)
-						RocketChat.models.Messages.createRoomSettingsChangedWithTypeRoomIdMessageAndUser 'room_changed_topic', rid, value, Meteor.user()
+						RocketChat.saveRoomTopic(rid, value, Meteor.user())
 				when 'roomType'
 					if value isnt room.t
-						RocketChat.saveRoomType(rid, value)
+						RocketChat.saveRoomType(rid, value, Meteor.user())
 						if value is 'c'
 							message = TAPi18n.__('Channel')
 						else

--- a/packages/rocketchat-slashcommands-topic/topic.js
+++ b/packages/rocketchat-slashcommands-topic/topic.js
@@ -8,7 +8,11 @@ function Topic(command, params, item) {
 		if (Meteor.isClient && RocketChat.authz.hasAtLeastOnePermission('edit-room', item.rid) || (Meteor.isServer && RocketChat.authz.hasPermission(Meteor.userId(), 'edit-room', item.rid))) {
 			Meteor.call('saveRoomSettings', item.rid, 'roomTopic', params, (err) => {
 				if (err) {
-					return handleError(err);
+					if (Meteor.isClient) {
+						return handleError(err);
+					} else {
+						throw err;
+					}
 				}

 				if (Meteor.isClient) {

--- a/packages/rocketchat-ui/views/app/room.coffee
+++ b/packages/rocketchat-ui/views/app/room.coffee
@@ -48,7 +48,7 @@ Template.room.helpers
 	roomTopic: ->
 		roomData = Session.get('roomData' + this._id)
 		return '' unless roomData
-		return s.escapeHTML roomData.topic
+		return roomData.topic

 	roomIcon: ->
 		roomData = Session.get('roomData' + this._id)

--- a/server/startup/migrations/v055.js
+++ b/server/startup/migrations/v055.js
+RocketChat.Migrations.add({
+	version: 55,
+	up: function() {
+		RocketChat.models.Rooms.find({ 'topic': { $exists: 1, $ne: '' } }, { topic: 1 }).forEach(function(room) {
+			let topic = s.escapeHTML(room.topic);
+			RocketChat.models.Rooms.update({ _id: room._id }, { $set: { topic: topic }});
+			RocketChat.models.Messages.update({ t: 'room_changed_topic', rid: room._id }, { $set: { msg: topic }});
+		});
+	}
+});