Custom message avatars can contain inline CSS that influences the resulting HTML element rendering.
The Meteor.method sendMessage allows setting custom avatars. When escaping the input with none); further CSS is applied to the elements inline styles. The injected CSS may not contain certain characters, including whitespace.
https://hackerone.com/reports/1031613