Skip to content

fix: message parser breaking workspace #40306

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
nazabucciarelli wants to merge 10 commits into
base: develop
Choose a base branch
from

prevent parsing upstream instead of lower level code

c8bf7b2
Select commit
Loading
Failed to load commit list.
Draft

fix: message parser breaking workspace #40306

prevent parsing upstream instead of lower level code
c8bf7b2
Select commit
Loading
Failed to load commit list.
RC - Layne / Layne Security Scan succeeded Apr 27, 2026 in 4m 9s

Layne — success

Found 6 issue(s): 0 critical, 0 high, 6 medium, 0 low.

Annotations

Check warning on line 79 in apps/meteor/client/components/message/content/attachments/QuoteAttachment.tsx

See this annotation in the file changed.

@rc-layne rc-layne / Layne Security Scan

[pi_agent] pi_agent/xss 

[R79] Attacker-controlled attachment.text is rendered directly without MessageContentBody sanitization when text exceeds maxMessageParseSize or lacks markdown parsing

Check warning on line 16 in apps/meteor/client/components/message/hooks/useMaxMessageParseSize.ts

See this annotation in the file changed.

@rc-layne rc-layne / Layne Security Scan

[pi_agent] pi_agent/business-logic 

[R16] No minimum value validation allows negative Message_MaxAllowedSize settings to force all messages to bypass markdown parsing and sanitization

Check warning on line 20 in apps/meteor/client/views/room/MessageList/hooks/useMessageBody.tsx

See this annotation in the file changed.

@rc-layne rc-layne / Layne Security Scan

[pi_agent] pi_agent/xss 

[R18-R20] Attacker-controlled message.msg is returned directly without markdown parsing/sanitization when message exceeds maxMessageParseSize

Check warning on line 79 in apps/meteor/client/components/message/content/attachments/QuoteAttachment.tsx

See this annotation in the file changed.

@rc-layne rc-layne / Layne Security Scan

[pi_agent] pi_agent/xss 

[R79] Attacker-controlled attachment.text is rendered directly without MessageContentBody sanitization when text exceeds maxMessageParseSize or lacks markdown parsing

Check warning on line 16 in apps/meteor/client/components/message/hooks/useMaxMessageParseSize.ts

See this annotation in the file changed.

@rc-layne rc-layne / Layne Security Scan

[pi_agent] pi_agent/business-logic 

[R16] No minimum value validation allows negative Message_MaxAllowedSize settings to force all messages to bypass markdown parsing and sanitization

Check warning on line 20 in apps/meteor/client/views/room/MessageList/hooks/useMessageBody.tsx

See this annotation in the file changed.

@rc-layne rc-layne / Layne Security Scan

[pi_agent] pi_agent/xss 

[R18-R20] Attacker-controlled message.msg is returned directly without markdown parsing/sanitization when message exceeds maxMessageParseSize
View more details on RC - Layne