fix: escape system message, don't allow editing system messages

src/messaging/data.js

@@ -1,5 +1,7 @@
 'use strict';
 
+const validator = require('validator');
+
 var db = require('../database');
 var user = require('../user');
 var utils = require('../utils');
@@ -79,6 +81,7 @@ module.exports = function (Messaging) {
 
 		messages = await Promise.all(messages.map(async (message) => {
 			if (message.system) {
+				message.content = validator.escape(String(message.content));
 				return message;
 			}
 

src/messaging/edit.js

@@ -57,10 +57,10 @@ module.exports = function (Messaging) {
 
 		const [isAdmin, messageData] = await Promise.all([
 			user.isAdministrator(uid),
-			Messaging.getMessageFields(messageId, ['fromuid', 'timestamp']),
+			Messaging.getMessageFields(messageId, ['fromuid', 'timestamp', 'system']),
 		]);
 
-		if (isAdmin) {
+		if (isAdmin && !messageData.system) {
 			return;
 		}
 		var chatConfigDuration = meta.config[durationConfig];
@@ -68,7 +68,7 @@ module.exports = function (Messaging) {
 			throw new Error('[[error:chat-' + type + '-duration-expired, ' + meta.config[durationConfig] + ']]');
 		}
 
-		if (messageData.fromuid === parseInt(uid, 10)) {
+		if (messageData.fromuid === parseInt(uid, 10) && !messageData.system) {
 			return;
 		}
 

test/messaging.js

@@ -119,7 +119,10 @@ describe('Messaging Library', function () {
 				assert.equal(messages.length, 1);
 				assert.strictEqual(messages[0].system, true);
 				assert.strictEqual(messages[0].content, 'user-join');
-				done();
+				socketModules.chats.edit({ uid: fooUid }, { roomId: roomId, mid: messages[0].messageId, message: 'test' }, function (err) {
+					assert.equal(err.message, '[[error:cant-edit-chat-message]]');
+					done();
+				});
 			});
 		});