diff --git a/packages/rocketchat-file-upload/server/lib/requests.js b/packages/rocketchat-file-upload/server/lib/requests.js
index 45d6f77ab5c8d..f97e6aa9d2aa5 100644
--- a/packages/rocketchat-file-upload/server/lib/requests.js
+++ b/packages/rocketchat-file-upload/server/lib/requests.js
@@ -40,6 +40,8 @@ WebApp.connectHandlers.use('/file-upload/', function(req, res, next) {
 				}
 			}
 
+			res.header('Content-Security-Policy', 'default-src \'none\'');
+
 			return FileUpload.get(file, req, res, next);
 		}
 	}
diff --git a/packages/rocketchat-message-attachments/client/messageAttachment.coffee b/packages/rocketchat-message-attachments/client/messageAttachment.coffee
index 91f6211f680c2..09cb0d8e1b04f 100644
--- a/packages/rocketchat-message-attachments/client/messageAttachment.coffee
+++ b/packages/rocketchat-message-attachments/client/messageAttachment.coffee
@@ -59,3 +59,21 @@ Template.messageAttachment.helpers
 	injectIndex: (data, previousIndex, index) ->
 		data.index = previousIndex + '.attachments.' + index
 		return
+
+    safeLoadImageAttachment: (url) ->
+        host = ''
+        url = fixCordova(url)
+        if (url.indexOf("://") > -1) {
+            host = url.split('/')[2]
+        } else {
+            host = url.split('/')[0]
+        }
+
+        host = host.split(':')[0]
+
+        if (host != window.location.hostname) {
+            return ''
+        } else {
+            return url
+        }
+ 
diff --git a/packages/rocketchat-message-attachments/client/messageAttachment.html b/packages/rocketchat-message-attachments/client/messageAttachment.html
index 5bc82373fe9ed..8951623c53d4a 100644
--- a/packages/rocketchat-message-attachments/client/messageAttachment.html
+++ b/packages/rocketchat-message-attachments/client/messageAttachment.html
@@ -66,8 +66,8 @@
 					<div class="attachment-image">
 					{{#if loadImage}}
 						<figure>
-							<div class="inline-image" style="background-image: url('{{fixCordova image_url}}');">
-								<img src="{{fixCordova image_url}}" height="{{getImageHeight image_dimensions.height}}" class="gallery-item" data-title="{{title}}" data-description="{{description}}">
+							<div class="inline-image" style="background-image: url('{{safeLoadImageAttachment image_url}}');">
+								<img src="{{safeLoadImageAttachment image_url}}" height="{{getImageHeight image_dimensions.height}}" class="gallery-item" data-title="{{title}}" data-description="{{description}}">
 							</div>
 							{{#if description}}
 								<figcaption class="attachment-description">{{description}}</figcaption>
diff --git a/packages/rocketchat-ui-sidenav/client/createCombinedFlex.coffee b/packages/rocketchat-ui-sidenav/client/createCombinedFlex.coffee
index ff306898959b5..4ec91100eed7d 100644
--- a/packages/rocketchat-ui-sidenav/client/createCombinedFlex.coffee
+++ b/packages/rocketchat-ui-sidenav/client/createCombinedFlex.coffee
@@ -84,7 +84,7 @@ Template.createCombinedFlex.events
 
 	'click .save-channel': (e, instance) ->
 		err = SideNav.validate()
-		name = instance.find('#channel-name').value.toLowerCase().trim()
+		name = instance.find('#channel-name').value.toLowerCase().trim().replace(/</g, "&lt;").replace(/>/g, "&gt;")
 		privateGroup = instance.find('#channel-type').checked
 		readOnly = instance.find('#channel-ro').checked
 		createRoute = if privateGroup then 'createPrivateGroup' else 'createChannel'