Skip to content

Search API does not URL-encode searchText query parameter #1149

New issue
New issue
Open
#1135
#1150
Open
Search API does not URL-encode searchText query parameter#1149
#1135
#1150
Labels
bugSomething isn't working
@Shreyas2004wagh

Description

@Shreyas2004wagh
Shreyas2004wagh
opened on Feb 10, 2026

Description:

The search API request does not URL-encode user-provided searchText before appending it to query params.

In packages/api/src/EmbeddedChatApi.ts (around line 1124), the URL is built with:
...&searchText=${text}

Since text comes from user input (packages/react/src/views/MessageAggregators/SearchMessages.js, line 15), special characters like &, ?, #, % can break or alter query parsing.

Steps to reproduce:

  1. Open chat and use Search Messages.
  2. Enter a query containing special characters, e.g. hello&room?x#tag%.
  3. Trigger search and inspect request/query behavior.
  4. Observe incorrect parsing or unexpected search results.

Expected behavior:

searchText should be safely encoded (via URLSearchParams or encodeURIComponent) so all user input is treated as data, not query syntax.

Actual behavior:

Raw user input is interpolated directly into the URL query string, which can corrupt query parameters and change request interpretation.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions