From 6a63c1a100fd03360947a6d5c4d7f0e596a4398e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <barisusakli@gmail.com>
Date: Sun, 19 Jan 2020 22:20:43 -0500
Subject: [PATCH] fix: escape system message, don't allow editing system
 messages

---
 src/messaging/data.js | 3 +++
 src/messaging/edit.js | 6 +++---
 test/messaging.js     | 5 ++++-
 3 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/src/messaging/data.js b/src/messaging/data.js
index 982e51b746..c1bca1a4ab 100644
--- a/src/messaging/data.js
+++ b/src/messaging/data.js
@@ -1,5 +1,7 @@
 'use strict';
 
+const validator = require('validator');
+
 var db = require('../database');
 var user = require('../user');
 var utils = require('../utils');
@@ -79,6 +81,7 @@ module.exports = function (Messaging) {
 
 		messages = await Promise.all(messages.map(async (message) => {
 			if (message.system) {
+				message.content = validator.escape(String(message.content));
 				return message;
 			}
 
diff --git a/src/messaging/edit.js b/src/messaging/edit.js
index 50af113f43..349c66fa28 100644
--- a/src/messaging/edit.js
+++ b/src/messaging/edit.js
@@ -57,10 +57,10 @@ module.exports = function (Messaging) {
 
 		const [isAdmin, messageData] = await Promise.all([
 			user.isAdministrator(uid),
-			Messaging.getMessageFields(messageId, ['fromuid', 'timestamp']),
+			Messaging.getMessageFields(messageId, ['fromuid', 'timestamp', 'system']),
 		]);
 
-		if (isAdmin) {
+		if (isAdmin && !messageData.system) {
 			return;
 		}
 		var chatConfigDuration = meta.config[durationConfig];
@@ -68,7 +68,7 @@ module.exports = function (Messaging) {
 			throw new Error('[[error:chat-' + type + '-duration-expired, ' + meta.config[durationConfig] + ']]');
 		}
 
-		if (messageData.fromuid === parseInt(uid, 10)) {
+		if (messageData.fromuid === parseInt(uid, 10) && !messageData.system) {
 			return;
 		}
 
diff --git a/test/messaging.js b/test/messaging.js
index c49c6d6ee5..9f9a3b3341 100644
--- a/test/messaging.js
+++ b/test/messaging.js
@@ -119,7 +119,10 @@ describe('Messaging Library', function () {
 				assert.equal(messages.length, 1);
 				assert.strictEqual(messages[0].system, true);
 				assert.strictEqual(messages[0].content, 'user-join');
-				done();
+				socketModules.chats.edit({ uid: fooUid }, { roomId: roomId, mid: messages[0].messageId, message: 'test' }, function (err) {
+					assert.equal(err.message, '[[error:cant-edit-chat-message]]');
+					done();
+				});
 			});
 		});