Don't return non-mxc URLs by default.

lib/client.js

@@ -1578,12 +1578,15 @@ MatrixClient.prototype.setAvatarUrl = function(url, callback) {
  * @param {Number} height The desired height of the thumbnail.
  * @param {string} resizeMethod The thumbnail resize method to use, either
  * "crop" or "scale".
+ * @param {Boolean} allowDirectLinks If true, return any non-mxc URLs
+ * directly. Fetching such URLs will leak information about the user to
+ * anyone they share a room with. If false, will return null for such URLs.
  * @return {?string} the avatar URL or null.
  */
 MatrixClient.prototype.mxcUrlToHttp =
-        function(mxcUrl, width, height, resizeMethod) {
+        function(mxcUrl, width, height, resizeMethod, allowDirectLinks) {
     return contentRepo.getHttpUriForMxc(
-        this.baseUrl, mxcUrl, width, height, resizeMethod
+        this.baseUrl, mxcUrl, width, height, resizeMethod, allowDirectLinks
     );
 };
 

lib/content-repo.js

@@ -13,14 +13,22 @@ module.exports = {
      * @param {Number} height The desired height of the thumbnail.
      * @param {string} resizeMethod The thumbnail resize method to use, either
      * "crop" or "scale".
+     * @param {Boolean} allowDirectLinks If true, return any non-mxc URLs
+     * directly. Fetching such URLs will leak information about the user to
+     * anyone they share a room with. If false, will return the emptry string
+     * for such URLs.
      * @return {string} The complete URL to the content.
      */
-    getHttpUriForMxc: function(baseUrl, mxc, width, height, resizeMethod) {
+    getHttpUriForMxc: function(baseUrl, mxc, width, height, resizeMethod, allowDirectLinks) {
         if (typeof mxc !== "string" || !mxc) {
-            return mxc;
+            return '';
         }
         if (mxc.indexOf("mxc://") !== 0) {
+            if (allowDirectLinks) {
                 return mxc;
+            } else {
+                return '';
+            }
         }
         var serverAndMediaId = mxc.slice(6); // strips mxc://
         var prefix = "/_matrix/media/v1/download/";

lib/models/room-member.js

@@ -159,19 +159,25 @@ RoomMember.prototype.getLastModifiedTime = function() {
  * @param {Boolean} allowDefault (optional) Passing false causes this method to
  * return null if the user has no avatar image. Otherwise, a default image URL
  * will be returned. Default: true.
+ * @param {Boolean} allowDirectLinks (optional) If true, the avatar URL will be
+ * returned even if it is a direct hyperlink rather than a matrix content URL.
+ * If false, any non-matrix content URLs will be ignored. Setting this option to
+ * true will expose URLs that, if fetched, will leak information about the user
+ * to anyone who they share a room with.
  * @return {?string} the avatar URL or null.
  */
 RoomMember.prototype.getAvatarUrl =
-        function(baseUrl, width, height, resizeMethod, allowDefault) {
+        function(baseUrl, width, height, resizeMethod, allowDefault, allowDirectLinks) {
     if (allowDefault === undefined) { allowDefault = true; }
     if (!this.events.member && !allowDefault) {
         return null;
     }
     var rawUrl = this.events.member ? this.events.member.getContent().avatar_url : null;
-    if (rawUrl) {
-        return ContentRepo.getHttpUriForMxc(
-            baseUrl, rawUrl, width, height, resizeMethod
+    var httpUrl = ContentRepo.getHttpUriForMxc(
+        baseUrl, rawUrl, width, height, resizeMethod, allowDirectLinks
     );
+    if (httpUrl) {
+        return httpUrl;
     }
     else if (allowDefault) {
         return ContentRepo.getIdenticonUri(