From 14e0d40201fb470f4994a812fcaa0e14ecf797b2 Mon Sep 17 00:00:00 2001
From: Adrien Joly <531781+adrienjoly@users.noreply.github.com>
Date: Sat, 11 Dec 2021 16:29:31 +0100
Subject: [PATCH] fix(security): XSS with user name on profile (#506)

cf https://huntr.dev/bounties/c9061d03-f0e5-4eff-aa0b-7364b48de647/
---
 app/templates/mainTemplate.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/app/templates/mainTemplate.js b/app/templates/mainTemplate.js
index c6f5dfd36..42428c531 100644
--- a/app/templates/mainTemplate.js
+++ b/app/templates/mainTemplate.js
@@ -301,7 +301,9 @@ exports.renderHeader = function (user, content, params) {
             '     <div class="image" style="background-image:url(' +
               (user.img || '/img/u/' + user.id) +
               ');"></div>',
-            '			<strong class="username">' + user.name + '</strong>',
+            '			<strong class="username">' +
+              uiSnippets.htmlEntities(user.name) +
+              '</strong>',
             //	'      <img src="/img/u/'+user.id+'" />', // /images/icon-userconfig-menu.png
             '    </a>',
             '    <div class="puce">',