Merge pull request #10913 from nextcloud/do-not-parse-html-in-user-id-and-display-name

Do not parse HTML in user id and display name

1 files changed, 20 insertions, 16 deletions

diff --git a/apps/comments/js/commentstabview.js b/apps/comments/js/commentstabview.js
index db38d055af4..8b20bac571b 100644
--- a/apps/comments/js/commentstabview.js
+++ b/apps/comments/js/commentstabview.js
@@ -195,22 +195,26 @@
 					},
 					sorter: function (q, items) { return items; }
 				},
-				displayTpl: '<li>'
-				+ '<span class="avatar-name-wrapper">'
-				+ '<div class="avatar" '
-				+ 'data-username="${id}"'	// for avatars
-				+ ' data-user="${id}"'		// for contactsmenu
-				+ ' data-user-display-name="${label}"></div>'
-				+ ' <strong>${label}</strong>'
-				+ '</span></li>',
-				insertTpl: ''
-				+ '<span class="avatar-name-wrapper">'
-				+ '<div class="avatar" '
-				+ 'data-username="${id}"'	// for avatars
-				+ ' data-user="${id}"'		// for contactsmenu
-				+ ' data-user-display-name="${label}"></div>'
-				+ ' <strong>${label}</strong>'
-				+ '</span>',
+				displayTpl: function (item) {
+					return '<li>'
+						+ '<span class="avatar-name-wrapper">'
+						+ '<div class="avatar" '
+						+ ' data-username="' + escapeHTML(item.id) + '"'	// for avatars
+						+ ' data-user="' + escapeHTML(item.id) + '"'		// for contactsmenu
+						+ ' data-user-display-name="' + escapeHTML(item.label) + '"></div>'
+						+ ' <strong>' + escapeHTML(item.label) + '</strong>'
+						+ '</span></li>';
+				},
+				insertTpl: function (item) {
+					return ''
+						+ '<span class="avatar-name-wrapper">'
+						+ '<div class="avatar" '
+						+ ' data-username="' + escapeHTML(item.id) + '"'	// for avatars
+						+ ' data-user="' + escapeHTML(item.id) + '"'		// for contactsmenu
+						+ ' data-user-display-name="' + escapeHTML(item.label) + '"></div>'
+						+ ' <strong>' + escapeHTML(item.label) + '</strong>'
+						+ '</span>';
+				},
 				searchKey: "label"
 			});
 			$target.on('inserted.atwho', function (je, $el) {