Description:
The search API request does not URL-encode user-provided searchText before appending it to query params.
In packages/api/src/EmbeddedChatApi.ts (around line 1124), the URL is built with:
...&searchText=${text}
Since text comes from user input (packages/react/src/views/MessageAggregators/SearchMessages.js, line 15), special characters like &, ?, #, % can break or alter query parsing.
Steps to reproduce:
- Open chat and use Search Messages.
- Enter a query containing special characters, e.g.
hello&room?x#tag%.
- Trigger search and inspect request/query behavior.
- Observe incorrect parsing or unexpected search results.
Expected behavior:
searchText should be safely encoded (via URLSearchParams or encodeURIComponent) so all user input is treated as data, not query syntax.
Actual behavior:
Raw user input is interpolated directly into the URL query string, which can corrupt query parameters and change request interpretation.
Description:
The search API request does not URL-encode user-provided
searchTextbefore appending it to query params.In
packages/api/src/EmbeddedChatApi.ts(around line 1124), the URL is built with:...&searchText=${text}Since
textcomes from user input (packages/react/src/views/MessageAggregators/SearchMessages.js, line 15), special characters like&,?,#,%can break or alter query parsing.Steps to reproduce:
hello&room?x#tag%.Expected behavior:
searchTextshould be safely encoded (viaURLSearchParamsorencodeURIComponent) so all user input is treated as data, not query syntax.Actual behavior:
Raw user input is interpolated directly into the URL query string, which can corrupt query parameters and change request interpretation.