Do not parse HTML in user id and display name

Signed-off-by: Joas Schilling <coding@schilljs.com>

apps/comments/js/commentstabview.js

@@ -195,22 +195,26 @@
 					},
 					sorter: function (q, items) { return items; }
 				},
-				displayTpl: '<li>'
-				+ '<span class="avatar-name-wrapper">'
-				+ '<div class="avatar" '
-				+ 'data-username="${id}"'	// for avatars
-				+ ' data-user="${id}"'		// for contactsmenu
-				+ ' data-user-display-name="${label}"></div>'
-				+ ' <strong>${label}</strong>'
-				+ '</span></li>',
-				insertTpl: ''
-				+ '<span class="avatar-name-wrapper">'
-				+ '<div class="avatar" '
-				+ 'data-username="${id}"'	// for avatars
-				+ ' data-user="${id}"'		// for contactsmenu
-				+ ' data-user-display-name="${label}"></div>'
-				+ ' <strong>${label}</strong>'
-				+ '</span>',
+				displayTpl: function (item) {
+					return '<li>'
+						+ '<span class="avatar-name-wrapper">'
+						+ '<div class="avatar" '
+						+ ' data-username="' + escapeHTML(item.id) + '"'	// for avatars
+						+ ' data-user="' + escapeHTML(item.id) + '"'		// for contactsmenu
+						+ ' data-user-display-name="' + escapeHTML(item.label) + '"></div>'
+						+ ' <strong>' + escapeHTML(item.label) + '</strong>'
+						+ '</span></li>';
+				},
+				insertTpl: function (item) {
+					return ''
+						+ '<span class="avatar-name-wrapper">'
+						+ '<div class="avatar" '
+						+ ' data-username="' + escapeHTML(item.id) + '"'	// for avatars
+						+ ' data-user="' + escapeHTML(item.id) + '"'		// for contactsmenu
+						+ ' data-user-display-name="' + escapeHTML(item.label) + '"></div>'
+						+ ' <strong>' + escapeHTML(item.label) + '</strong>'
+						+ '</span>';
+				},
 				searchKey: "label"
 			});
 			$target.on('inserted.atwho', function (je, $el) {