From 2a43c23ba75d0182a6820aa3eaa43be114edd7e3 Mon Sep 17 00:00:00 2001
From: Guilherme Gazzo <guilhermegazzo@gmail.com>
Date: Fri, 26 Jul 2019 08:44:48 -0300
Subject: [PATCH] [FIX] Not sanitized message types (#15054)

---
 app/ui-message/client/message.js | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/app/ui-message/client/message.js b/app/ui-message/client/message.js
index b0fcd419455a..6885c516a630 100644
--- a/app/ui-message/client/message.js
+++ b/app/ui-message/client/message.js
@@ -1,4 +1,5 @@
 import _ from 'underscore';
+import s from 'underscore.string';
 import { Blaze } from 'meteor/blaze';
 import { Meteor } from 'meteor/meteor';
 import { Tracker } from 'meteor/tracker';
@@ -78,6 +79,7 @@ const renderBody = (msg, settings) => {
 	} else if (messageType.template) {
 		// render template
 	} else if (messageType.message) {
+		msg.msg = s.escapeHTML(msg.msg);
 		msg = TAPi18n.__(messageType.message, { ...typeof messageType.data === 'function' && messageType.data(msg) });
 	} else if (msg.u && msg.u.username === settings.Chatops_Username) {
 		msg.html = msg.msg;