fix: escape HTML in exported data

[julio-rocketchat]

Proposed changes (including videos or screenshots)

This PR hardens Rocket.Chat's HTML data export paths by adding proper output escaping.

Message content, usernames, attachment titles, and uploaded filenames were being written into exported .html files without escaping. As a result, any HTML-like characters in that content could be interpreted by the browser when the export was opened, rather than being displayed as text. This affects both the room "Send file via email" export and the "Download My Data" feature, which share the same code path.

This change applies escapeHTML() to all user-controlled fields at the output sinks in:

• exportRoomMessagesToFile.ts
• processDataDownloads.ts
• sendViaEmail.ts

It also adds a restrictive CSP meta tag to the generated HTML as an additional layer of hardening.

Escaping is a no-op for normal content and also fixes the display of text such as a < b, so there is no behavioral change for legitimate exports.

Also added new tests.

Issue(s)

https://rocketchat.atlassian.net/browse/VLN-417

Steps to test or reproduce

N/A

Further comments

N/A

Summary by CodeRabbit

• Bug Fixes

  • Improved security in data exports by escaping HTML tags to prevent injection attacks in room messages, user data, and email exports.
  • Enhanced security policies in exported HTML files with stricter Content-Security-Policy restrictions.

• Tests

  • Added comprehensive test coverage for HTML escaping and XSS prevention in exported data.

[dionisio-bot]

Looks like this PR is ready to merge! 🎉
If you have any trouble, please check the PR guidelines

[changeset-bot]

🦋 Changeset detected

Latest commit: 65b7b6d

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages

Name	Type
@rocket.chat/meteor	Patch
@rocket.chat/core-typings	Patch
@rocket.chat/rest-typings	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

Walkthrough

This PR hardens Rocket.Chat's data export system against XSS attacks by HTML-escaping all dynamic content in room message exports, user profile exports, and email bodies. It also adds strict Content-Security-Policy headers to generated HTML files and includes test coverage validating the escaping behavior.

Changes

HTML Escaping for Data Export Security

Layer / File(s)	Summary
Room message HTML export with XSS prevention apps/meteor/server/lib/dataExport/exportRoomMessagesToFile.ts, apps/meteor/tests/unit/server/lib/dataExport/exportRoomMessagesToFile.spec.ts	escapeHTML import is added. Message text, usernames in paragraph headers, attachment URLs, and attachment link text are all escaped in HTML output. When transitioning from pending to exporting state, the HTML header now includes a multi-line <meta> tag with strict Content-Security-Policy. Test suite validates HTML escaping across message body, usernames, system messages, and attachment metadata, while confirming JSON exports remain unescaped.
User profile HTML export with XSS prevention apps/meteor/server/lib/dataExport/processDataDownloads.ts	escapeHTML import is added. User profile data generation now escapes all dynamic keys, string values, and array elements before writing to HTML output. HTML header includes strict Content-Security-Policy meta tag.
Email message export with XSS prevention apps/meteor/server/lib/dataExport/sendViaEmail.ts	escapeHTML import is added. Sender username in the email HTML template is escaped before embedding in the <b> tag, with fallback to empty string if unavailable.
Release notes .changeset/fast-apes-know.md	Changelog entry documents patch release for @rocket.chat/meteor describing HTML tag escaping in exported data.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested labels

type: bug

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately summarizes the main change: applying HTML escaping to exported data. It is concise, specific, and clearly relates to the primary security fix across multiple export files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)

• VLN-417: Request failed with status code 401

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

❌ Patch coverage is 92.30769% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 69.92%. Comparing base (85fc0dd) to head (65b7b6d).

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #40802      +/-   ##
===========================================
+ Coverage    69.90%   69.92%   +0.02%     
===========================================
  Files         3337     3337              
  Lines       123489   123494       +5     
  Branches     22013    22062      +49     
===========================================
+ Hits         86322    86351      +29     
+ Misses       33813    33793      -20     
+ Partials      3354     3350       -4     

Flag	Coverage Δ
e2e	59.42% <ø> (+0.07%)	⬆️
e2e-api	47.05% <72.72%> (+0.81%)	⬆️
unit	70.64% <36.36%> (-0.04%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

🧹 Nitpick comments (1)

.changeset/fast-apes-know.md (1)

5-5: ⚡ Quick win

Consider enhancing the description for security fix clarity.

The description accurately captures the core fix but could be more specific about scope and mitigations. For a security patch, users reviewing release notes benefit from knowing exactly which features are affected and what protections were added.

📝 Suggested enhancement

-Escapes HTML tags in exported data
+Escapes HTML tags in room message exports, user profile exports, and email exports. Adds Content-Security-Policy headers to exported HTML files.

This clarifies:

• The specific export types affected (room messages, user profiles, emails)
• The additional CSP mitigation layer

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.changeset/fast-apes-know.md at line 5, Update the changeset description to
be more specific about the security fix: expand the single-line "Escapes HTML
tags in exported data" to explicitly list affected export types (room messages,
user profiles, and exported emails) and state that HTML tags are now escaped on
export, and note the additional Content Security Policy (CSP) mitigation layer
added to reduce XSS risk; ensure the new text remains concise and clearly
communicates the scope and protections to reviewers.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.changeset/fast-apes-know.md:
- Line 5: Update the changeset description to be more specific about the
security fix: expand the single-line "Escapes HTML tags in exported data" to
explicitly list affected export types (room messages, user profiles, and
exported emails) and state that HTML tags are now escaped on export, and note
the additional Content Security Policy (CSP) mitigation layer added to reduce
XSS risk; ensure the new text remains concise and clearly communicates the scope
and protections to reviewers.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f1e24061-ca96-43e6-b562-e83f7d34c620

📥 Commits

Reviewing files that changed from the base of the PR and between 85fc0dd and 65b7b6d.

📒 Files selected for processing (5)

• .changeset/fast-apes-know.md
• apps/meteor/server/lib/dataExport/exportRoomMessagesToFile.ts
• apps/meteor/server/lib/dataExport/processDataDownloads.ts
• apps/meteor/server/lib/dataExport/sendViaEmail.ts
• apps/meteor/tests/unit/server/lib/dataExport/exportRoomMessagesToFile.spec.ts

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: cubic · AI code reviewer
• GitHub Check: Hacktron Security Check

🧰 Additional context used

📓 Path-based instructions (2)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/server/lib/dataExport/sendViaEmail.ts
• apps/meteor/tests/unit/server/lib/dataExport/exportRoomMessagesToFile.spec.ts
• apps/meteor/server/lib/dataExport/processDataDownloads.ts
• apps/meteor/server/lib/dataExport/exportRoomMessagesToFile.ts

**/*.spec.ts

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.spec.ts: Use descriptive test names that clearly communicate expected behavior in Playwright tests
Use .spec.ts extension for test files (e.g., login.spec.ts)

Files:

• apps/meteor/tests/unit/server/lib/dataExport/exportRoomMessagesToFile.spec.ts

🧠 Learnings (31)

📓 Common learnings

Learnt from: ggazzo
Repo: RocketChat/Rocket.Chat PR: 35995
File: apps/meteor/app/api/server/v1/rooms.ts:1107-1112
Timestamp: 2026-02-23T17:53:18.785Z
Learning: In Rocket.Chat PR reviews, maintain strict scope boundaries—when a PR is focused on a specific endpoint (e.g., rooms.favorite), avoid reviewing or suggesting changes to other endpoints that were incidentally refactored (e.g., rooms.invite) unless explicitly requested by maintainers.

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38262
File: apps/meteor/client/lib/utils/normalizeMessagePreview/getMessagePreview.ts:24-33
Timestamp: 2026-01-19T18:17:46.433Z
Learning: In the Rocket.Chat repository, usernames (lastMessage.u.username) and display names (lastMessage.u.name) are sanitized/escaped centrally elsewhere in the system, so individual display functions like getMessagePreview do not need to escape these values before interpolating them into strings.

📚 Learning: 2026-02-24T19:09:09.561Z

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 38974
File: apps/meteor/app/api/server/v1/im.ts:220-221
Timestamp: 2026-02-24T19:09:09.561Z
Learning: In RocketChat/Rocket.Chat OpenAPI migration PRs for apps/meteor/app/api/server/v1 endpoints, maintainers prefer to avoid any logic changes; style-only cleanups (like removing inline comments) may be deferred to follow-ups to keep scope tight.

Applied to files:

• .changeset/fast-apes-know.md

📚 Learning: 2026-05-06T20:48:08.244Z

Learnt from: d-gubert
Repo: RocketChat/Rocket.Chat PR: 40186
File: apps/meteor/app/apps/server/bridges/uiInteraction.ts:2-2
Timestamp: 2026-05-06T20:48:08.244Z
Learning: In the RocketChat/Rocket.Chat repository, Meteor's bundler does not respect the `exports` keyword in `package.json` files. Deep imports (e.g., `rocket.chat/apps/dist/server/bridges/UiInteractionBridge`) must be used instead of relying on `exports` subpath mappings. Do not suggest adding `exports` map entries to packages consumed by Meteor (e.g., `packages/apps/package.json`) as a fix for deep imports.

Applied to files:

• .changeset/fast-apes-know.md

📚 Learning: 2026-03-16T21:50:37.589Z

Learnt from: amitb0ra
Repo: RocketChat/Rocket.Chat PR: 39676
File: .changeset/migrate-users-register-openapi.md:3-3
Timestamp: 2026-03-16T21:50:37.589Z
Learning: For changes related to OpenAPI migrations in Rocket.Chat/OpenAPI, when removing endpoint types and validators from rocket.chat/rest-typings (e.g., UserRegisterParamsPOST, /v1/users.register) document this as a minor changeset (not breaking) per RocketChat/Rocket.Chat-Open-API#150 Rule 7. Note that the endpoint type is re-exposed via a module augmentation .d.ts in the consuming package (e.g., packages/web-ui-registration/src/users-register.d.ts). In reviews, ensure the changeset clearly states: this is a non-breaking change, the major version should not be bumped, and the changeset reflects a minor version bump. Do not treat this as a breaking change during OpenAPI migrations.

Applied to files:

• .changeset/fast-apes-know.md

📚 Learning: 2026-05-25T18:33:22.615Z

Learnt from: d-gubert
Repo: RocketChat/Rocket.Chat PR: 40677
File: apps/meteor/packages/rocketchat-mongo-config/server/index.js:43-46
Timestamp: 2026-05-25T18:33:22.615Z
Learning: In `apps/meteor/packages/rocketchat-mongo-config/server/index.js`, the `Email.sendAsync` override that logs email options to console is intentionally unrestricted (logs full options) — this is a test-mode-only path (TEST_MODE === 'true' or 'api') and logging the full options object is acceptable. Do not flag this as a sensitive data leak in code reviews.

Applied to files:

• apps/meteor/server/lib/dataExport/sendViaEmail.ts

📚 Learning: 2026-01-17T01:51:47.764Z

Learnt from: tassoevan
Repo: RocketChat/Rocket.Chat PR: 38219
File: packages/core-typings/src/cloud/Announcement.ts:5-6
Timestamp: 2026-01-17T01:51:47.764Z
Learning: In packages/core-typings/src/cloud/Announcement.ts, the AnnouncementSchema.createdBy field intentionally overrides IBannerSchema.createdBy (object with _id and optional username) with a string enum ['cloud', 'system'] to match existing runtime behavior. This is documented as technical debt with a FIXME comment at apps/meteor/app/cloud/server/functions/syncWorkspace/handleCommsSync.ts:53 and should not be flagged as an error until the runtime behavior is corrected.

Applied to files:

• apps/meteor/server/lib/dataExport/sendViaEmail.ts
• apps/meteor/server/lib/dataExport/exportRoomMessagesToFile.ts

📚 Learning: 2026-03-03T11:11:48.541Z

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 39230
File: apps/meteor/app/api/server/v1/chat.ts:214-222
Timestamp: 2026-03-03T11:11:48.541Z
Learning: In apps/meteor/server/lib/moderation/reportMessage.ts, the reportMessage function validates that description is not empty or whitespace-only with `if (!description.trim())`. When migrating the chat.reportMessage endpoint to OpenAPI, adding minLength validation to the schema preserves this existing behavior.

Applied to files:

• apps/meteor/server/lib/dataExport/sendViaEmail.ts
• apps/meteor/tests/unit/server/lib/dataExport/exportRoomMessagesToFile.spec.ts
• apps/meteor/server/lib/dataExport/exportRoomMessagesToFile.ts

📚 Learning: 2026-04-10T22:42:05.539Z

Learnt from: dougfabris
Repo: RocketChat/Rocket.Chat PR: 40075
File: apps/meteor/client/views/room/modals/FileUploadModal/FileUploadModal.tsx:69-71
Timestamp: 2026-04-10T22:42:05.539Z
Learning: In `apps/meteor/client/views/room/modals/FileUploadModal/FileUploadModal.tsx`, the submit handler converts an empty/whitespace-only description to `undefined` (`description?.trim() || undefined`) intentionally. All downstream image-rendering components (`AttachmentImage`, `ImagePreview`, `ImageItem`, `ImageGallery`) default `undefined` alt to `''`, so the `<img alt="">` attribute is always present. Do not flag this `undefined` conversion as a bug preventing alt text from being cleared.

Applied to files:

• apps/meteor/server/lib/dataExport/sendViaEmail.ts
• apps/meteor/server/lib/dataExport/exportRoomMessagesToFile.ts

📚 Learning: 2026-01-19T18:17:46.433Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38262
File: apps/meteor/client/lib/utils/normalizeMessagePreview/getMessagePreview.ts:24-33
Timestamp: 2026-01-19T18:17:46.433Z
Learning: In the Rocket.Chat repository, usernames (lastMessage.u.username) and display names (lastMessage.u.name) are sanitized/escaped centrally elsewhere in the system, so individual display functions like getMessagePreview do not need to escape these values before interpolating them into strings.

Applied to files:

• apps/meteor/server/lib/dataExport/sendViaEmail.ts
• apps/meteor/server/lib/dataExport/processDataDownloads.ts
• apps/meteor/server/lib/dataExport/exportRoomMessagesToFile.ts

📚 Learning: 2026-04-17T23:32:07.223Z

Learnt from: d-gubert
Repo: RocketChat/Rocket.Chat PR: 38357
File: apps/meteor/app/apps/server/converters/messages.ts:348-352
Timestamp: 2026-04-17T23:32:07.223Z
Learning: In `apps/meteor/app/apps/server/converters/messages.ts`, the `timestamp` handler inside `_convertAttachmentsToApp` uses a non-null assertion (`attachment.ts!`) intentionally. The `ts` property on `MessageAttachment` is optional only to accommodate MessageAttachment creation-time scenarios; by the time `_convertAttachmentsToApp` is called, the message has already been stored and the attachment is guaranteed to have a `ts` value. Do not flag this non-null assertion as unsafe during code review.

Applied to files:

• apps/meteor/server/lib/dataExport/sendViaEmail.ts
• apps/meteor/server/lib/dataExport/exportRoomMessagesToFile.ts

📚 Learning: 2025-11-19T18:20:07.720Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 37419
File: packages/i18n/src/locales/en.i18n.json:918-921
Timestamp: 2025-11-19T18:20:07.720Z
Learning: Repo: RocketChat/Rocket.Chat — i18n/formatting
Learning: This repository uses a custom message formatting parser in UI blocks/messages; do not assume standard Markdown rules. For keys like Call_ended_bold, Call_not_answered_bold, Call_failed_bold, and Call_transferred_bold in packages/i18n/src/locales/en.i18n.json, retain the existing single-asterisk emphasis unless maintainers request otherwise.

Applied to files:

• apps/meteor/server/lib/dataExport/sendViaEmail.ts
• apps/meteor/server/lib/dataExport/exportRoomMessagesToFile.ts

📚 Learning: 2026-05-11T23:15:03.372Z

Learnt from: ricardogarim
Repo: RocketChat/Rocket.Chat PR: 40469
File: packages/rest-typings/src/v1/users.ts:337-337
Timestamp: 2026-05-11T23:15:03.372Z
Learning: In RocketChat/Rocket.Chat, REST endpoint typings in `packages/rest-typings/src/v1/users.ts` (and broadly across the codebase) reference `IUser` field types directly (e.g. `IUser['statusExpiresAt']`) rather than serialized equivalents like `string`. Suggesting a change to serialized types (e.g. `string`) for a single field is inconsistent with this pattern; any such refactor should be done codebase-wide.

Applied to files:

• apps/meteor/server/lib/dataExport/sendViaEmail.ts
• apps/meteor/server/lib/dataExport/processDataDownloads.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.

Applied to files:

• apps/meteor/server/lib/dataExport/sendViaEmail.ts
• apps/meteor/tests/unit/server/lib/dataExport/exportRoomMessagesToFile.spec.ts
• apps/meteor/server/lib/dataExport/processDataDownloads.ts
• apps/meteor/server/lib/dataExport/exportRoomMessagesToFile.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.

Applied to files:

• apps/meteor/server/lib/dataExport/sendViaEmail.ts
• apps/meteor/tests/unit/server/lib/dataExport/exportRoomMessagesToFile.spec.ts
• apps/meteor/server/lib/dataExport/processDataDownloads.ts
• apps/meteor/server/lib/dataExport/exportRoomMessagesToFile.ts

📚 Learning: 2026-05-06T12:21:44.083Z

Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 40256
File: apps/meteor/client/components/CreateDiscussion/CreateDiscussion.tsx:121-149
Timestamp: 2026-05-06T12:21:44.083Z
Learning: Field wrappers in rocket.chat/fuselage-forms (Field, FieldLabel, FieldRow, FieldError, FieldHint) auto-create htmlFor/id associations, aria-describedby, and role="alert" for errors. Do not manually set htmlFor, id, aria-describedby, or role attributes when using these wrappers. This automatic wiring does not apply to plain rocket.chat/fuselage components, which require explicit ID wiring per the accessibility docs. In code reviews, prefer using fuselage-forms wrappers for form fields and verify there is no unnecessary manual ID/aria wiring in files that use these wrappers. If a component uses plain fuselage components, ensure proper id wiring as per docs.

Applied to files:

• apps/meteor/server/lib/dataExport/sendViaEmail.ts
• apps/meteor/tests/unit/server/lib/dataExport/exportRoomMessagesToFile.spec.ts
• apps/meteor/server/lib/dataExport/processDataDownloads.ts
• apps/meteor/server/lib/dataExport/exportRoomMessagesToFile.ts

📚 Learning: 2026-02-24T19:36:55.089Z

Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 38493
File: apps/meteor/tests/e2e/page-objects/fragments/home-content.ts:60-82
Timestamp: 2026-02-24T19:36:55.089Z
Learning: In RocketChat/Rocket.Chat e2e tests (apps/meteor/tests/e2e/page-objects/fragments/home-content.ts), thread message preview listitems do not have aria-roledescription="message", so lastThreadMessagePreview locator cannot be scoped to messageListItems (which filters for aria-roledescription="message"). It should remain scoped to page.getByRole('listitem') or mainMessageList.getByRole('listitem').

Applied to files:

• apps/meteor/tests/unit/server/lib/dataExport/exportRoomMessagesToFile.spec.ts
• apps/meteor/server/lib/dataExport/exportRoomMessagesToFile.ts

📚 Learning: 2026-04-17T18:33:27.211Z

Learnt from: d-gubert
Repo: RocketChat/Rocket.Chat PR: 39858
File: apps/meteor/tests/e2e/apps/uikit-interactions.spec.ts:123-151
Timestamp: 2026-04-17T18:33:27.211Z
Learning: In RocketChat/Rocket.Chat (`apps/meteor/tests/e2e/apps/uikit-interactions.spec.ts`), `executeBlockActionHandler` invocations originating from a **modal** surface intentionally do NOT include a `block_action_room` (room property) in the interaction payload. Modals are not scoped to a room, so no room id is available in that context. Do not flag the absence of a room assertion in the modal block-action test as a missing coverage bug; instead, document it explicitly with a `test.step` asserting the room entry is `undefined`.

Applied to files:

• apps/meteor/tests/unit/server/lib/dataExport/exportRoomMessagesToFile.spec.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Utilize Playwright fixtures (`test`, `page`, `expect`) for consistency in test files

Applied to files:

• apps/meteor/tests/unit/server/lib/dataExport/exportRoomMessagesToFile.spec.ts

📚 Learning: 2026-03-11T22:04:20.529Z

Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 39545
File: apps/meteor/client/views/room/body/hooks/useHasNewMessages.ts:59-61
Timestamp: 2026-03-11T22:04:20.529Z
Learning: In `apps/meteor/client/views/room/body/hooks/useHasNewMessages.ts`, the `msg.u._id === uid` early-return in the `streamNewMessage` handler is intentional: the "New messages" indicator is designed to notify about messages from other users only. Self-sent messages — including those sent from a different session/device — are always skipped, by design. Do not flag this as a multi-session regression.

Applied to files:

• apps/meteor/tests/unit/server/lib/dataExport/exportRoomMessagesToFile.spec.ts
• apps/meteor/server/lib/dataExport/exportRoomMessagesToFile.ts

📚 Learning: 2025-12-10T21:00:54.909Z

Learnt from: KevLehman
Repo: RocketChat/Rocket.Chat PR: 37091
File: ee/packages/abac/jest.config.ts:4-7
Timestamp: 2025-12-10T21:00:54.909Z
Learning: Rocket.Chat monorepo: Jest testMatch pattern '<rootDir>/src/**/*.spec.(ts|js|mjs)' is valid in this repo and used across multiple packages (e.g., packages/tools, ee/packages/omnichannel-services). Do not flag it as invalid in future reviews.

Applied to files:

• apps/meteor/tests/unit/server/lib/dataExport/exportRoomMessagesToFile.spec.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Ensure tests run reliably in parallel without shared state conflicts

Applied to files:

• apps/meteor/tests/unit/server/lib/dataExport/exportRoomMessagesToFile.spec.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Group related tests in the same file

Applied to files:

• apps/meteor/tests/unit/server/lib/dataExport/exportRoomMessagesToFile.spec.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Maintain test isolation between test cases in Playwright tests

Applied to files:

• apps/meteor/tests/unit/server/lib/dataExport/exportRoomMessagesToFile.spec.ts

📚 Learning: 2026-03-06T18:02:20.381Z

Learnt from: tassoevan
Repo: RocketChat/Rocket.Chat PR: 39397
File: packages/gazzodown/src/elements/Timestamp/RelativeTime.spec.tsx:63-70
Timestamp: 2026-03-06T18:02:20.381Z
Learning: In RocketChat/Rocket.Chat, tests in the `packages/gazzodown` package (and likely the broader test suite) are always expected to run in the UTC timezone. This makes `toLocaleString()` output deterministic, so snapshot tests that include locale/timezone-sensitive content (such as `title` attributes from `toLocaleString()`) are stable and do not need to be replaced with targeted assertions.

Applied to files:

• apps/meteor/tests/unit/server/lib/dataExport/exportRoomMessagesToFile.spec.ts

📚 Learning: 2026-02-24T19:22:48.358Z

Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 38493
File: apps/meteor/tests/e2e/omnichannel/omnichannel-send-pdf-transcript.spec.ts:66-67
Timestamp: 2026-02-24T19:22:48.358Z
Learning: In Playwright end-to-end tests (e.g., under apps/meteor/tests/e2e/...), prefer locating elements by translated text (getByText) and ARIA roles (getByRole) over data-qa attributes. If translation values change, update the corresponding test locators accordingly. Never use data-qa locators. This guideline applies to all Playwright e2e test specs in the repository and helps keep tests robust to UI text changes and accessible semantics.

Applied to files:

• apps/meteor/tests/unit/server/lib/dataExport/exportRoomMessagesToFile.spec.ts

📚 Learning: 2026-03-06T18:10:15.268Z

Learnt from: tassoevan
Repo: RocketChat/Rocket.Chat PR: 39397
File: packages/gazzodown/src/code/CodeBlock.spec.tsx:47-68
Timestamp: 2026-03-06T18:10:15.268Z
Learning: In tests (especially those using testing-library/dom/jsdom) for Rocket.Chat components, the HTML <code> element has an implicit ARIA role of 'code'. Therefore, screen.getByRole('code') or screen.findByRole('code') will locate <code> elements even without a role attribute. Do not flag findByRole('code') as invalid in reviews; prefer using the implicit role instead of adding role="code" unless necessary for accessibility.

Applied to files:

• apps/meteor/tests/unit/server/lib/dataExport/exportRoomMessagesToFile.spec.ts

📚 Learning: 2026-03-12T17:12:49.121Z

Learnt from: dougfabris
Repo: RocketChat/Rocket.Chat PR: 39425
File: apps/meteor/client/lib/chats/flows/uploadFiles.ts:28-33
Timestamp: 2026-03-12T17:12:49.121Z
Learning: Rocket.Chat — apps/meteor/client/lib/chats/flows/uploadFiles.ts: When E2E_Enable_Encrypt_Files is disabled, plaintext file uploads are allowed in E2E rooms; this fallback is expected and should not be flagged as a security regression.

Applied to files:

• apps/meteor/server/lib/dataExport/processDataDownloads.ts
• apps/meteor/server/lib/dataExport/exportRoomMessagesToFile.ts

📚 Learning: 2026-03-11T18:15:53.272Z

Learnt from: dougfabris
Repo: RocketChat/Rocket.Chat PR: 39425
File: apps/meteor/app/api/server/v1/rooms.ts:294-296
Timestamp: 2026-03-11T18:15:53.272Z
Learning: In Rocket.Chat's `rooms.mediaConfirm/:rid/:fileId` endpoint (apps/meteor/app/api/server/v1/rooms.ts), updating `file.name` from `bodyParams.fileName` without updating `file.path` is intentionally safe. The file path is keyed by `_id` (not by filename), so the stored path remains valid regardless of a rename. `file.name` only affects the display name in the message attachment; do not flag this as a path-divergence issue.

Applied to files:

• apps/meteor/server/lib/dataExport/exportRoomMessagesToFile.ts

📚 Learning: 2026-04-29T20:06:34.862Z

Learnt from: tassoevan
Repo: RocketChat/Rocket.Chat PR: 40268
File: apps/meteor/client/startup/incomingMessages.ts:21-25
Timestamp: 2026-04-29T20:06:34.862Z
Learning: In `apps/meteor/client/startup/incomingMessages.ts`, the `Messages.state.update` predicate that strips `ignored` from records when `'ignored' in sub` is false (i.e., the subscription update has no `ignored` field) is intentional. Absence of `ignored` in a `subscriptions-changed` event means the user's ignore list is empty/reset, so clearing all existing `ignored` flags on messages for that room is the correct behavior. Do not flag this as an unintentional ignored-state reset on unrelated subscription updates.

Applied to files:

• apps/meteor/server/lib/dataExport/exportRoomMessagesToFile.ts

📚 Learning: 2026-04-18T12:32:53.425Z

Learnt from: rodrigok
Repo: RocketChat/Rocket.Chat PR: 38623
File: apps/meteor/app/lib/server/functions/cleanRoomHistory.ts:146-149
Timestamp: 2026-04-18T12:32:53.425Z
Learning: In `apps/meteor/app/lib/server/functions/cleanRoomHistory.ts` (PR `#38623`), the read-receipt cleanup (both `ReadReceipts.removeByMessageIds` and `ReadReceiptsArchive.removeByMessageIds`) is intentionally only performed in the limited prune path (`limit && selectedMessageIds`). The unlimited/delete-all path (`limit === 0`) deliberately skips cleaning up orphaned read receipts in both hot and cold storage — this is by design. Do not flag this as a bug or missing cleanup in future reviews.

Applied to files:

• apps/meteor/server/lib/dataExport/exportRoomMessagesToFile.ts

📚 Learning: 2026-03-11T18:17:53.972Z

Learnt from: dougfabris
Repo: RocketChat/Rocket.Chat PR: 39425
File: apps/meteor/client/lib/chats/flows/processMessageUploads.ts:112-119
Timestamp: 2026-03-11T18:17:53.972Z
Learning: In `apps/meteor/client/lib/chats/flows/processMessageUploads.ts`, when sending multiple file uploads, each file is confirmed via its own `/rooms.mediaConfirm/${rid}/${fileId}` call and produces a separate message. Only the first file's confirm payload carries the composed message text (`msg`); all subsequent files receive `msg: ''`. This one-message-per-file behavior is intentional by design — do not flag it as a bug or suggest batching into a single message.

Applied to files:

• apps/meteor/server/lib/dataExport/exportRoomMessagesToFile.ts

🔇 Additional comments (6)

apps/meteor/server/lib/dataExport/exportRoomMessagesToFile.ts (2)

179-192: LGTM!

---

286-293: LGTM!

apps/meteor/tests/unit/server/lib/dataExport/exportRoomMessagesToFile.spec.ts (1)

117-184: LGTM!

apps/meteor/server/lib/dataExport/processDataDownloads.ts (2)

7-7: LGTM!

Also applies to: 83-83

---

84-96: LGTM!

apps/meteor/server/lib/dataExport/sendViaEmail.ts (1)

71-73: LGTM!

[cubic-dev-ai]

No issues found across 5 files

_{Re-trigger cubic}

[julio-rocketchat]

/backport 8.5.1

[dionisio-bot]

Pull request #40917 added to Project: "Patch 8.5.1"

[julio-rocketchat]

/backport 8.4.4

[dionisio-bot]

Pull request #40918 added to Project: "Patch 8.4.4"

[julio-rocketchat]

/backport 8.3.6

[dionisio-bot]

Pull request #40919 added to Project: "Patch 8.3.6"

[julio-rocketchat]

/backport 8.2.6

[dionisio-bot]

Pull request #40920 added to Project: "Patch 8.2.6"

[julio-rocketchat]

/backport 8.1.6

[dionisio-bot]

Sorry, I couldn't do that backport because of conflicts. Could you please solve them?

you can do so by running the following commands:

git fetch
git checkout backport-8.1.6-40802
git cherry-pick afcc72d8d2096159ada47ac853f2c7534b5afa3e
// solve the conflict
git push

after that just run /backport 8.1.6 again

[julio-rocketchat]

/backport 8.1.6

[dionisio-bot]

Pull request #40921 added to Project: "Patch 8.1.6"

[julio-rocketchat]

/backport 8.0.7

[dionisio-bot]

Sorry, I couldn't do that backport because of conflicts. Could you please solve them?

you can do so by running the following commands:

git fetch
git checkout backport-8.0.7-40802
git cherry-pick afcc72d8d2096159ada47ac853f2c7534b5afa3e
// solve the conflict
git push

after that just run /backport 8.0.7 again

[julio-rocketchat]

/backport 8.0.7

[dionisio-bot]

Pull request #40922 added to Project: "Patch 8.0.7"

[julio-rocketchat]

/backport 7.13.9

[dionisio-bot]

Sorry, I couldn't do that backport because of conflicts. Could you please solve them?

you can do so by running the following commands:

git fetch
git checkout backport-7.13.9-40802
git cherry-pick afcc72d8d2096159ada47ac853f2c7534b5afa3e
// solve the conflict
git push

after that just run /backport 7.13.9 again

[julio-rocketchat]

/backport 7.13.9

[dionisio-bot]

Pull request #40923 added to Project: "Patch 7.13.9"

[julio-rocketchat]

/backport 7.10.13

[dionisio-bot]

Sorry, I couldn't do that backport because of conflicts. Could you please solve them?

you can do so by running the following commands:

git fetch
git checkout backport-7.10.13-40802
git cherry-pick afcc72d8d2096159ada47ac853f2c7534b5afa3e
// solve the conflict
git push

after that just run /backport 7.10.13 again

[julio-rocketchat]

/backport 7.10.13

[dionisio-bot]

Pull request #40924 added to Project: "Patch 7.10.13"