fix: character escaping in channel description notifications

[abhinavkrin]

Proposed changes (including videos or screenshots)

Fixes an issue where special characters in system messages were incorrectly rendered due to unnecessary escaping logic. Updates the message rendering process to display characters as intended.
We can skip escaping since these data are directly rendered as react nodes which handles the escaping. Previously we used dangerouslySetInnerHTML which is no longer the case.

Issue(s)

Steps to test or reproduce

1. Trigger a system message containing special characters by changing room description that includes special characters like '&'
2. Verify that characters are rendered correctly in the message output.

Further comments

SUP-760

---

Description

This pull request addresses issues related to character escaping in channel description notifications within the Rocket.Chat application. The changes focus on removing unnecessary HTML escaping to prevent security vulnerabilities and ensure correct message rendering.

Key Changes

1. Patch Documentation:

   • Added a Changeset file to document a patch fix for the '@rocket.chat/meteor' package, specifically targeting incorrect character escaping in system messages.

2. Livechat Message Handling:

   • Removed HTML escaping from the livechat_webrtc_video_call message type in apps/meteor/app/livechat/lib/messageTypes.ts to prevent potential security vulnerabilities.

3. System Message Testing:

   • Introduced a new test suite for the SystemMessage component using React Testing Library in apps/meteor/client/components/message/variants/SystemMessage.spec.tsx. The tests ensure:
     • Basic rendering functionality.
     • Correct handling of HTML entities to prevent double-escaping.
     • Prevention of HTML injection by ensuring HTML content is not rendered as active elements.

4. Data Processing Adjustments:

   • Removed HTML escaping from the data processing of room topic, announcement, and description message types in apps/meteor/client/startup/messageTypes.ts. This change delegates the responsibility of handling potentially unsafe HTML content to the rendering layer.

5. Omnichannel Services Update:

   • Eliminated the use of escapeHTML in the handling of livechat_webrtc_video_call messages in ee/packages/omnichannel-services/src/livechatSystemMessages.ts.

These changes aim to improve the security and accuracy of message rendering in Rocket.Chat by addressing character escaping issues.

[dionisio-bot]

Looks like this PR is ready to merge! 🎉
If you have any trouble, please check the PR guidelines

[changeset-bot]

🦋 Changeset detected

Latest commit: b6e04d5

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 36 packages

Name	Type
@rocket.chat/meteor	Patch
@rocket.chat/core-typings	Patch
@rocket.chat/rest-typings	Patch
@rocket.chat/uikit-playground	Patch
@rocket.chat/api-client	Patch
@rocket.chat/apps	Patch
@rocket.chat/core-services	Patch
@rocket.chat/cron	Patch
@rocket.chat/ddp-client	Patch
@rocket.chat/freeswitch	Patch
@rocket.chat/fuselage-ui-kit	Patch
@rocket.chat/gazzodown	Patch
@rocket.chat/livechat	Patch
@rocket.chat/model-typings	Patch
@rocket.chat/ui-contexts	Patch
@rocket.chat/account-service	Patch
@rocket.chat/authorization-service	Patch
@rocket.chat/ddp-streamer	Patch
@rocket.chat/omnichannel-transcript	Patch
@rocket.chat/presence-service	Patch
@rocket.chat/queue-worker	Patch
@rocket.chat/stream-hub-service	Patch
@rocket.chat/license	Patch
@rocket.chat/omnichannel-services	Patch
@rocket.chat/pdf-worker	Patch
@rocket.chat/presence	Patch
rocketchat-services	Patch
@rocket.chat/models	Patch
@rocket.chat/network-broker	Patch
@rocket.chat/mock-providers	Patch
@rocket.chat/ui-avatar	Patch
@rocket.chat/ui-client	Patch
@rocket.chat/ui-video-conf	Patch
@rocket.chat/ui-voip	Patch
@rocket.chat/web-ui-registration	Patch
@rocket.chat/instance-status	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[kody-ai]

Code Review Completed! 🔥

The code review was successfully completed based on your current configurations.

Kody Guide: Usage and Configuration

Interacting with Kody

• Request a Review: Ask Kody to review your PR manually by adding a comment with the @kody start-review command at the root of your PR.

• Provide Feedback: Help Kody learn and improve by reacting to its comments with a 👍 for helpful suggestions or a 👎 if improvements are needed.

Current Kody Configuration

Review Options

The following review options are enabled or disabled:

Options	Enabled
Security	✅
Code Style	✅
Kody Rules	✅
Refactoring	✅
Error Handling	✅
Maintainability	✅
Potential Issues	✅
Documentation And Comments	✅
Performance And Optimization	✅
Breaking Changes	❌

Access your configuration settings here.

​

[github-actions]

PR Preview Action v1.6.1
🚀 View preview at https://RocketChat.github.io/Rocket.Chat/pr-preview/pr-35927/
Built to branch gh-pages at 2025-05-16 23:42 UTC. Preview will be ready when the GitHub Pages deployment is complete.

[codecov]

Codecov Report

Attention: Patch coverage is 33.33333% with 2 lines in your changes missing coverage. Please review.

Project coverage is 64.75%. Comparing base (aea500e) to head (b6e04d5).
Report is 1 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #35927      +/-   ##
===========================================
- Coverage    64.78%   64.75%   -0.03%     
===========================================
  Files         3099     3248     +149     
  Lines        92171    95485    +3314     
  Branches     17635    17871     +236     
===========================================
+ Hits         59713    61833    +2120     
- Misses       29688    30744    +1056     
- Partials      2770     2908     +138     

Flag	Coverage Δ
e2e	58.42% <0.00%> (+0.06%)	⬆️
unit	71.97% <33.33%> (+0.06%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[kody-ai]

Kody Review Complete

Great news! 🎉
No issues were found that match your current review configurations.

Keep up the excellent work! 🚀

Kody Guide: Usage and Configuration

Interacting with Kody

• Request a Review: Ask Kody to review your PR manually by adding a comment with the @kody start-review command at the root of your PR.

• Provide Feedback: Help Kody learn and improve by reacting to its comments with a 👍 for helpful suggestions or a 👎 if improvements are needed.

Current Kody Configuration

Review Options

The following review options are enabled or disabled:

Options	Enabled
Security	✅
Code Style	✅
Kody Rules	✅
Refactoring	✅
Error Handling	✅
Maintainability	✅
Potential Issues	✅
Documentation And Comments	✅
Performance And Optimization	✅
Breaking Changes	❌

Access your configuration settings here.

​