[CLNP-6501][fix]: disable mentions and sanitize HTML in edit mode#1418
[CLNP-6501][fix]: disable mentions and sanitize HTML in edit mode#1418sf-tyler-jeong wants to merge 1 commit intomainfrom
Conversation
Mentions are not functional in edit mode, so disable mention detection
by setting isMentionEnabled={false} on MessageInput. Also sanitize
mentionTemplate in editMessage to prevent HTML tag injection via
contentEditable.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
✅ Deploy Preview for sendbird-uikit-react ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 7f248bd516
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| ref={editMessageInputRef} | ||
| mentionSelectedUser={selectedUser} | ||
| isMentionEnabled={groupChannel.enableMention} | ||
| isMentionEnabled={false} |
There was a problem hiding this comment.
Setting isMentionEnabled to false in edit mode makes MessageInput take its mention-disabled initialization path, so a previously mentioned message is loaded as plain text instead of mention-label nodes; when the user saves, extractTextAndMentions() no longer emits @{userId} tokens and onUpdateMessage sends a non-mention template. In practice, editing even a typo in a message that already mentions users will silently strip those mentions from the updated message.
Useful? React with 👍 / 👎.
1 participant
Description
Fixes two issues in message edit mode:
Mention suggestion list shown in edit mode — The
SuggestedMentionListViewappeared when typing@in edit mode, even though mentions are not functional during editing. Fixed by settingisMentionEnabled={false}onMessageInputin edit mode, which disables mention detection and prevents the suggestion list from appearing.HTML tag injection via contentEditable — The
mentionTemplatepassed toonUpdateMessagewas not sanitized, allowing HTML tags to be included in the edited message. Fixed by applyingsanitizeString()tomentionTemplatein theeditMessagefunction.Root Cause
MessageInputin edit mode hadisMentionEnabled={groupChannel.enableMention}, enabling mention detection even though edit mode does not support adding new mentions.editMessagefunction passed rawmentionTemplatefromextractTextAndMentions()without sanitization.Changes
src/modules/GroupChannel/components/Message/MessageView.tsxisMentionEnabled={false}forMessageInputin edit modesrc/ui/MessageInput/index.tsxsanitizeString()tomentionTemplateineditMessageTicket