From 0d9adcd2d160143e854f141dafe6984a9d6efeb1 Mon Sep 17 00:00:00 2001
From: Kamus Hadenes <kamushadenes@hyadesinc.com>
Date: Mon, 13 Mar 2017 00:03:05 -0300
Subject: [PATCH 1/4] Solves issue #1 at user input

---
 packages/rocketchat-ui-sidenav/client/createCombinedFlex.coffee | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/rocketchat-ui-sidenav/client/createCombinedFlex.coffee b/packages/rocketchat-ui-sidenav/client/createCombinedFlex.coffee
index ff306898959b5..4ec91100eed7d 100644
--- a/packages/rocketchat-ui-sidenav/client/createCombinedFlex.coffee
+++ b/packages/rocketchat-ui-sidenav/client/createCombinedFlex.coffee
@@ -84,7 +84,7 @@ Template.createCombinedFlex.events
 
 	'click .save-channel': (e, instance) ->
 		err = SideNav.validate()
-		name = instance.find('#channel-name').value.toLowerCase().trim()
+		name = instance.find('#channel-name').value.toLowerCase().trim().replace(/</g, "&lt;").replace(/>/g, "&gt;")
 		privateGroup = instance.find('#channel-type').checked
 		readOnly = instance.find('#channel-ro').checked
 		createRoute = if privateGroup then 'createPrivateGroup' else 'createChannel'

From 71df7435b723c6d58a2a76778897166b6dca98e1 Mon Sep 17 00:00:00 2001
From: Kamus Hadenes <kamushadenes@hyadesinc.com>
Date: Mon, 13 Mar 2017 00:21:28 -0300
Subject: [PATCH 2/4] Solves issue #2 using CSP

---
 packages/rocketchat-file-upload/server/lib/requests.js | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/packages/rocketchat-file-upload/server/lib/requests.js b/packages/rocketchat-file-upload/server/lib/requests.js
index 45d6f77ab5c8d..598705f1a094e 100644
--- a/packages/rocketchat-file-upload/server/lib/requests.js
+++ b/packages/rocketchat-file-upload/server/lib/requests.js
@@ -40,6 +40,8 @@ WebApp.connectHandlers.use('/file-upload/', function(req, res, next) {
 				}
 			}
 
+            res.header('Content-Security-Policy', 'default-src \'none\'');
+
 			return FileUpload.get(file, req, res, next);
 		}
 	}

From 2834b3f88ab07221351fc483454ea895151225e1 Mon Sep 17 00:00:00 2001
From: Kamus Hadenes <kamushadenes@hyadesinc.com>
Date: Mon, 13 Mar 2017 00:36:53 -0300
Subject: [PATCH 3/4] Solves issue #3 by validating image domain

---
 .../client/messageAttachment.coffee            | 18 ++++++++++++++++++
 .../client/messageAttachment.html              |  4 ++--
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/packages/rocketchat-message-attachments/client/messageAttachment.coffee b/packages/rocketchat-message-attachments/client/messageAttachment.coffee
index 91f6211f680c2..09cb0d8e1b04f 100644
--- a/packages/rocketchat-message-attachments/client/messageAttachment.coffee
+++ b/packages/rocketchat-message-attachments/client/messageAttachment.coffee
@@ -59,3 +59,21 @@ Template.messageAttachment.helpers
 	injectIndex: (data, previousIndex, index) ->
 		data.index = previousIndex + '.attachments.' + index
 		return
+
+    safeLoadImageAttachment: (url) ->
+        host = ''
+        url = fixCordova(url)
+        if (url.indexOf("://") > -1) {
+            host = url.split('/')[2]
+        } else {
+            host = url.split('/')[0]
+        }
+
+        host = host.split(':')[0]
+
+        if (host != window.location.hostname) {
+            return ''
+        } else {
+            return url
+        }
+ 
diff --git a/packages/rocketchat-message-attachments/client/messageAttachment.html b/packages/rocketchat-message-attachments/client/messageAttachment.html
index 5bc82373fe9ed..8951623c53d4a 100644
--- a/packages/rocketchat-message-attachments/client/messageAttachment.html
+++ b/packages/rocketchat-message-attachments/client/messageAttachment.html
@@ -66,8 +66,8 @@
 					<div class="attachment-image">
 					{{#if loadImage}}
 						<figure>
-							<div class="inline-image" style="background-image: url('{{fixCordova image_url}}');">
-								<img src="{{fixCordova image_url}}" height="{{getImageHeight image_dimensions.height}}" class="gallery-item" data-title="{{title}}" data-description="{{description}}">
+							<div class="inline-image" style="background-image: url('{{safeLoadImageAttachment image_url}}');">
+								<img src="{{safeLoadImageAttachment image_url}}" height="{{getImageHeight image_dimensions.height}}" class="gallery-item" data-title="{{title}}" data-description="{{description}}">
 							</div>
 							{{#if description}}
 								<figcaption class="attachment-description">{{description}}</figcaption>

From 97c2c22e8223f4a4801c032eeecd97b5cd074bda Mon Sep 17 00:00:00 2001
From: Rodrigo Nascimento <rodrigoknascimento@gmail.com>
Date: Thu, 16 Mar 2017 12:51:28 -0300
Subject: [PATCH 4/4] Update requests.js

---
 packages/rocketchat-file-upload/server/lib/requests.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/rocketchat-file-upload/server/lib/requests.js b/packages/rocketchat-file-upload/server/lib/requests.js
index 598705f1a094e..f97e6aa9d2aa5 100644
--- a/packages/rocketchat-file-upload/server/lib/requests.js
+++ b/packages/rocketchat-file-upload/server/lib/requests.js
@@ -40,7 +40,7 @@ WebApp.connectHandlers.use('/file-upload/', function(req, res, next) {
 				}
 			}
 
-            res.header('Content-Security-Policy', 'default-src \'none\'');
+			res.header('Content-Security-Policy', 'default-src \'none\'');
 
 			return FileUpload.get(file, req, res, next);
 		}