Searching for anything with &, #, or + in it returns wrong results or nothing at all.
getSearchMessages in EmbeddedChatApi.ts (line 1124) builds the URL with a template literal:
`${this.host}/api/v1/chat.search?roomId=${this.rid}&searchText=${text}`The text param goes straight into the URL without encoding. So:
hello & goodbye — the & starts a new query param. Server receives searchText=hello and a stray goodbye param#channel — the # is treated as a URL fragment. searchText arrives as an empty stringhello world+test — the + is read as a space. Server gets hello world test
Same pattern in three other methods:
getUserStatus (line 1236) — userId=${reqUserId}userInfo (line 1253) — userId=${reqUserId}userData (line 1270) — username=${username}
The userId ones are less likely to hit this in practice since IDs are usually alphanumeric, but usernames with special characters would break userData.
File: packages/api/src/EmbeddedChatApi.ts
Searching for anything with
&,#, or+in it returns wrong results or nothing at all.getSearchMessagesinEmbeddedChatApi.ts(line 1124) builds the URL with a template literal:`${this.host}/api/v1/chat.search?roomId=${this.rid}&searchText=${text}`The
textparam goes straight into the URL without encoding. So:hello & goodbye— the&starts a new query param. Server receivessearchText=helloand a straygoodbyeparam#channel— the#is treated as a URL fragment.searchTextarrives as an empty stringhello world+test— the+is read as a space. Server getshello world testSame pattern in three other methods:
getUserStatus(line 1236) —userId=${reqUserId}userInfo(line 1253) —userId=${reqUserId}userData(line 1270) —username=${username}The userId ones are less likely to hit this in practice since IDs are usually alphanumeric, but usernames with special characters would break
userData.File:
packages/api/src/EmbeddedChatApi.ts