Bug: Critical JSON Injection in API Request Construction

[deepak0x]

Several API methods in EmbeddedChatApi.ts manually construct JSON request bodies using template literals instead of proper serialization. When user input contains special characters such as double quotes ("), the generated payload becomes invalid JSON.

This results in the Rocket.Chat server returning 400 Bad Request responses, breaking core Embedded Chat functionality.

Root Cause

Request bodies are manually constructed using template literals, which do not escape user input.

Problematic Code

// packages/api/src/EmbeddedChatApi.ts:797
body: `{"roomId": "${this.rid}", "msgId": "${msgId}", "text": "${text}" }`,

If text contains a double quote, the resulting JSON becomes malformed.

---

Steps to Reproduce

1. Initialize EmbeddedChatApi.
2. Call updateMessage with a string containing a double quote.

Example input:

Hello "World"

3. The client constructs the following payload:

{"roomId": "...", "msgId": "...", "text": "Hello "World"" }

4. The payload is invalid JSON.

---

Observed Behavior

Client Payload (Raw)

{"roomId": "GENERAL", "msgId": "83gcmhij82MqX5qrm", "text": "Hello "World"" }

Server Response

Status Code: 400
Response Body:
{"success":false,"errorType":"invalid-params","error":"must have required property 'roomId'..."}

Screenshots When the server return 400 the frontend show "Text message to be broken"

[AyushBurde]

could you pls assign this to me

[deepak0x]

@Spiral-Memory have checked and reproduce this issue... Pls check it from your side...

[deepak0x]

Hey @AyushBurde Actually i am working on it... You can explore codebase and raise issues too