Skip to content

fix(api): escape json body in api calls to prevent injection #1072

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
deepak0x wants to merge 3 commits into
base: develop
Choose a base branch
from
Open

fix(api): escape json body in api calls to prevent injection #1072

deepak0x wants to merge 3 commits into from

Conversation

@deepak0x
Copy link
Contributor

@deepak0x deepak0x commented Jan 15, 2026
edited
Loading

This pr address the escape json body in api calls to prevent injection

Closes #1067

Video/Screenshots

Screenshot from 2026-01-16 02-37-38

PR Test Details

Note: The PR will be ready for live testing at https://rocketchat.github.io/EmbeddedChat/pulls/pr-<pr_number> after approval. Contributors are requested to replace <pr_number> with the actual PR number.

@deepak0x
fix(api): escape json body in api calls to prevent injection
95530cc
@deepak0x
Merge remote-tracking branch 'upstream/develop' into fix/json-injecti…
bd02453 
…on-issue-1

:wq
git status
@deepak0x
fix(api): replace manual JSON string construction with JSON.stringify…
ce480d0 
… to prevent injection

- Replaced template literal JSON construction with JSON.stringify() in all API methods
- Fixes vulnerability where user input containing quotes would break JSON structure
- Affected methods: updateMessage, deleteMessage, updateUserUsername, reactToMessage, reportMessage, starMessage, unstarMessage, pinMessage, unpinMessage, updateUserNameThroughSuggestion
@deepak0x deepak0x force-pushed the fix/json-injection-issue-1 branch from c1f58c6 to ce480d0 Compare January 16, 2026 14:05
Spiral-Memory
Spiral-Memory approved these changes Jan 17, 2026
View reviewed changes
Copy link
Collaborator

@Spiral-Memory Spiral-Memory left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great find @deepak0x
LGTM

@deepak0x
Copy link
Contributor Author

deepak0x commented Jan 17, 2026

Thanks 😊

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Spiral-Memory Spiral-Memory Awaiting requested review from Spiral-Memory

Assignees

No one assigned

Labels

testing

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Bug: Critical JSON Injection in API Request Construction

2 participants

@deepak0x @Spiral-Memory