From e44e612557958c0c68c1789bc26e7d45f0c0cf27 Mon Sep 17 00:00:00 2001
From: Rodrigo Nascimento <rodrigoknascimento@gmail.com>
Date: Mon, 10 Apr 2017 16:28:42 -0300
Subject: [PATCH] [FIX] Encode avatar url to prevent CSS injection

---
 packages/rocketchat-ui-message/client/message.coffee | 2 ++
 packages/rocketchat-ui-message/client/message.html   | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/packages/rocketchat-ui-message/client/message.coffee b/packages/rocketchat-ui-message/client/message.coffee
index 847594ef4f3..9f470f51bf3 100644
--- a/packages/rocketchat-ui-message/client/message.coffee
+++ b/packages/rocketchat-ui-message/client/message.coffee
@@ -1,6 +1,8 @@
 import moment from 'moment'
 
 Template.message.helpers
+	encodeURI: (text) ->
+		return encodeURI(text)
 	isBot: ->
 		return 'bot' if this.bot?
 	roleTags: ->
diff --git a/packages/rocketchat-ui-message/client/message.html b/packages/rocketchat-ui-message/client/message.html
index b110c416a1a..3a02fa4d14b 100644
--- a/packages/rocketchat-ui-message/client/message.html
+++ b/packages/rocketchat-ui-message/client/message.html
@@ -6,7 +6,7 @@
 			{{else}}
 				<button class="thumb user-card-message" data-username="{{u.username}}" tabindex="1">
 					<div class="avatar">
-						<div class="avatar-image" style="background-image:url({{avatar}});"></div>
+						<div class="avatar-image" style="background-image:url({{encodeURI avatar}});"></div>
 					</div>
 				</button>
 			{{/if}}
-- 
GitLab