fix: incorrect cursor position after inserting mention

[abhinavkrin]

Proposed changes (including videos or screenshots)

When inserting a user/channel mention while the caret is not at the end of the message, the cursor jumped to an incorrect position instead of landing right after the inserted mention, making continued typing and editing awkward.

The root cause was in replaceText in createComposerAPI.ts: after replacing the partial trigger (e.g. @j) with the full mention, the new cursor position was computed from the textarea's live caret position before the replacement (selectionStart) rather than from where the text was actually inserted (selection.start). It also reset the caret back to the original position when a selection existed. This only appeared correct when mentioning at the end of the line, where the overshoot was clamped to the string length.

The cursor is now placed at selection.start + text.length, so it always lands immediately after the inserted mention regardless of where in the message it is inserted. Added unit tests for replaceText covering insertion at the start, middle, and end of a message.

Issue(s)

Steps to test or reproduce

1. Open any channel and type a message in the composer
2. Move the cursor to the beginning of the message
3. Type @ and select a user mention
4. Expected result: the cursor is placed immediately after the inserted mention, and you can continue typing naturally from that position

Further comments

CORE-2266

Summary by CodeRabbit

• Bug Fixes
  • Fixed the cursor position after inserting a mention in the message composer, including when the mention is added at the start, middle, or end of a message.
  • Improved text replacement behavior so the selection remains collapsed immediately after insertion.
• Tests
  • Added coverage for mention replacement behavior to verify cursor placement and selection handling across common composer scenarios.

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

🦋 Changeset detected

Latest commit: ba6ce67

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages

Name	Type
@rocket.chat/meteor	Patch
@rocket.chat/core-typings	Patch
@rocket.chat/rest-typings	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e2abe4ef-405d-4004-a0b1-0538e1e3b8ac

📥 Commits

Reviewing files that changed from the base of the PR and between aa96fe5 and ba6ce67.

📒 Files selected for processing (3)

• .changeset/moody-eggs-juggle.md
• apps/meteor/app/ui-message/client/messageBox/createComposerAPI.spec.ts
• apps/meteor/app/ui-message/client/messageBox/createComposerAPI.ts

📜 Recent review details

⏰ Context from checks skipped due to timeout. (5)

• GitHub Check: 📦 Build Packages
• GitHub Check: cubic · AI code reviewer
• GitHub Check: CodeQL-Build
• GitHub Check: Hacktron Security Check
• GitHub Check: CodeQL-Build

🧰 Additional context used

📓 Path-based instructions (2)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/app/ui-message/client/messageBox/createComposerAPI.spec.ts
• apps/meteor/app/ui-message/client/messageBox/createComposerAPI.ts

**/*.spec.ts

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.spec.ts: Use descriptive test names that clearly communicate expected behavior in Playwright tests
Use .spec.ts extension for test files (e.g., login.spec.ts)

Files:

• apps/meteor/app/ui-message/client/messageBox/createComposerAPI.spec.ts

🧠 Learnings (6)

📚 Learning: 2026-03-16T21:50:37.589Z

Learnt from: amitb0ra
Repo: RocketChat/Rocket.Chat PR: 39676
File: .changeset/migrate-users-register-openapi.md:3-3
Timestamp: 2026-03-16T21:50:37.589Z
Learning: For changes related to OpenAPI migrations in Rocket.Chat/OpenAPI, when removing endpoint types and validators from rocket.chat/rest-typings (e.g., UserRegisterParamsPOST, /v1/users.register) document this as a minor changeset (not breaking) per RocketChat/Rocket.Chat-Open-API#150 Rule 7. Note that the endpoint type is re-exposed via a module augmentation .d.ts in the consuming package (e.g., packages/web-ui-registration/src/users-register.d.ts). In reviews, ensure the changeset clearly states: this is a non-breaking change, the major version should not be bumped, and the changeset reflects a minor version bump. Do not treat this as a breaking change during OpenAPI migrations.

Applied to files:

• .changeset/moody-eggs-juggle.md

📚 Learning: 2026-02-24T19:22:48.358Z

Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 38493
File: apps/meteor/tests/e2e/omnichannel/omnichannel-send-pdf-transcript.spec.ts:66-67
Timestamp: 2026-02-24T19:22:48.358Z
Learning: In Playwright end-to-end tests (e.g., under apps/meteor/tests/e2e/...), prefer locating elements by translated text (getByText) and ARIA roles (getByRole) over data-qa attributes. If translation values change, update the corresponding test locators accordingly. Never use data-qa locators. This guideline applies to all Playwright e2e test specs in the repository and helps keep tests robust to UI text changes and accessible semantics.

Applied to files:

• apps/meteor/app/ui-message/client/messageBox/createComposerAPI.spec.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.

Applied to files:

• apps/meteor/app/ui-message/client/messageBox/createComposerAPI.spec.ts
• apps/meteor/app/ui-message/client/messageBox/createComposerAPI.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.

Applied to files:

• apps/meteor/app/ui-message/client/messageBox/createComposerAPI.spec.ts
• apps/meteor/app/ui-message/client/messageBox/createComposerAPI.ts

📚 Learning: 2026-03-06T18:10:15.268Z

Learnt from: tassoevan
Repo: RocketChat/Rocket.Chat PR: 39397
File: packages/gazzodown/src/code/CodeBlock.spec.tsx:47-68
Timestamp: 2026-03-06T18:10:15.268Z
Learning: In tests (especially those using testing-library/dom/jsdom) for Rocket.Chat components, the HTML <code> element has an implicit ARIA role of 'code'. Therefore, screen.getByRole('code') or screen.findByRole('code') will locate <code> elements even without a role attribute. Do not flag findByRole('code') as invalid in reviews; prefer using the implicit role instead of adding role="code" unless necessary for accessibility.

Applied to files:

• apps/meteor/app/ui-message/client/messageBox/createComposerAPI.spec.ts

📚 Learning: 2026-05-06T12:21:44.083Z

Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 40256
File: apps/meteor/client/components/CreateDiscussion/CreateDiscussion.tsx:121-149
Timestamp: 2026-05-06T12:21:44.083Z
Learning: Field wrappers in rocket.chat/fuselage-forms (Field, FieldLabel, FieldRow, FieldError, FieldHint) auto-create htmlFor/id associations, aria-describedby, and role="alert" for errors. Do not manually set htmlFor, id, aria-describedby, or role attributes when using these wrappers. This automatic wiring does not apply to plain rocket.chat/fuselage components, which require explicit ID wiring per the accessibility docs. In code reviews, prefer using fuselage-forms wrappers for form fields and verify there is no unnecessary manual ID/aria wiring in files that use these wrappers. If a component uses plain fuselage components, ensure proper id wiring as per docs.

Applied to files:

• apps/meteor/app/ui-message/client/messageBox/createComposerAPI.spec.ts
• apps/meteor/app/ui-message/client/messageBox/createComposerAPI.ts

🪛 ast-grep (0.44.0)

apps/meteor/app/ui-message/client/messageBox/createComposerAPI.spec.ts

[warning] 19-19: Direct modification of innerHTML or outerHTML properties detected. Modifying these properties with unsanitized user input can lead to XSS vulnerabilities. Use safe alternatives or sanitize content first.
Context: document.body.innerHTML = ''
Note: [CWE-79] Improper Neutralization of Input During Web Page Generation

(dom-content-modification)

🔇 Additional comments (3)

apps/meteor/app/ui-message/client/messageBox/createComposerAPI.ts (1)

299-301: LGTM!

apps/meteor/app/ui-message/client/messageBox/createComposerAPI.spec.ts (1)

1-61: LGTM!

.changeset/moody-eggs-juggle.md (1)

1-5: LGTM!

---

Walkthrough

The message composer now places the cursor at the end of inserted text after replaceText, adds regression tests for mention insertion positions, and includes a patch changeset note.

Changes

Message composer cursor fix

Layer / File(s)	Summary
replaceText cursor placement apps/meteor/app/ui-message/client/messageBox/createComposerAPI.ts	replaceText now sets both selection endpoints to the computed insertion cursor after replacement.
Regression coverage and release note apps/meteor/app/ui-message/client/messageBox/createComposerAPI.spec.ts, .changeset/moody-eggs-juggle.md	The new spec covers mention insertion at the start, middle, and end of a message, and the changeset records the patch release note.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

type: bug

Suggested reviewers

• gabriellsh

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly matches the main change: fixing cursor position after inserting a mention.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)

• CORE-2266: Request failed with status code 401

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[cubic-dev-ai]

No issues found across 3 files

_{Re-trigger cubic}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 70.12%. Comparing base (aa96fe5) to head (ba6ce67).

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #41074      +/-   ##
===========================================
+ Coverage    70.09%   70.12%   +0.02%     
===========================================
  Files         3363     3363              
  Lines       129711   130068     +357     
  Branches     22494    22500       +6     
===========================================
+ Hits         90922    91208     +286     
- Misses       35476    35554      +78     
+ Partials      3313     3306       -7     

Flag	Coverage Δ
e2e	59.34% <66.66%> (-0.02%)	⬇️
e2e-api	46.27% <ø> (ø)
unit	69.99% <100.00%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.