Fix: Missing URI Encoding in EmbeddedChatApi.ts GET Requests #1192
Description
Description:
Right now, EmbeddedChatApi.ts takes your input (like what you type in search) and puts it directly into the website address (URL) without "encoding" it first. When you use special characters like &, #, or even a simple space, the website doesn't understand the address correctly.
Steps to reproduce:
-
Use the search feature in the React frontend.
-
Search for a string containing an ampersand (e.g., "Cats & Dogs").
-
Observe the network request in the browser developer tools. The request will likely be truncated at the & symbol, leading to a search for only "Cats ".
Impact
-
Functional failures: If a parameter has special characters like spaces, &, or #, the URL can break and the request may fail or return wrong results.
-
Security risks: Even though this is an internal SDK, putting user-controlled text directly into URLs without encoding is unsafe and can cause unexpected behavior.
-
Robustness: The API assumes identifiers (like Room IDs) are always URL-safe, but in some Rocket.Chat setups they might not be.
Locations (eg)
- getSearchMessages: searchText, roomId
- getMessages / getOlderMessages: query, field, roomId
- getUsersInRole: role
- userData / userInfo: username, userId
- getThreadMessages: tmid
- getAllFiles: typeGroup, roomId
Currect
`${this.host}/api/v1/chat.search?roomId=${this.rid}&searchText=${text}`
Code Should be
`${this.host}/api/v1/chat.search?roomId=${encodeURIComponent(this.rid)}&searchText=${encodeURIComponent(text)}`