fix: escape fullname in chatWithMessage

src/messaging/index.js

@@ -248,8 +248,8 @@ Messaging.generateUsernames = function (room, excludeUid) {
 Messaging.generateChatWithMessage = async function (room, callerUid, userLang) {
 	const users = room.users.filter(u => u && parseInt(u.uid, 10) !== callerUid);
 	const usernames = users.map(u => (utils.isNumber(u.uid) ?
-		`<a href="${relative_path}/uid/${u.uid}">${u.displayname}</a>` :
-		`<a href="${relative_path}/user/${u.username}">${u.displayname}</a>`));
+		`<a href="${relative_path}/uid/${u.uid}">${validator.escape(String(u.displayname))}</a>` :
+		`<a href="${relative_path}/user/${u.username}">${validator.escape(String(u.displayname))}</a>`));
 	let compiled;
 	if (!users.length) {
 		return '[[modules:chat.no-users-in-room]]';

test/messaging.js

@@ -562,6 +562,27 @@ describe('Messaging Library', () => {
 			assert.equal(rooms[0].teaser.content, '<svg/onload=alert(document.location);');
 		});
 
+		it('should escape chatWithMessage', async () => {
+			const oldValue = meta.config.showFullnameAsDisplayName;
+			meta.config.showFullnameAsDisplayName = true;
+
+			const uid = await User.create({ username: 'escapedsender', fullname: '<svg/onload=alert(document.location);' });
+			await User.setSetting(uid, 'showfullname', 1);
+
+			await callv3API('post', '/chats', { uids: [uid] }, 'foo');
+
+			const { rooms } = await api.chats.list(
+				{ uid: mocks.users.foo.uid }, { start: 0, stop: 9, uid: mocks.users.foo.uid }
+			);
+
+			assert.strictEqual(
+				rooms[0].chatWithMessage,
+				`Chat with <a href="${nconf.get('relative_path')}/uid/${uid}">&lt;svg&#x2F;onload=alert(document.location);</a>`
+			);
+
+			meta.config.showFullnameAsDisplayName = oldValue;
+		});
+
 		it('should fail to check if user has private chat with invalid data', async () => {
 			await assert.rejects(
 				api.users.getPrivateRoomId({ uid: null }, undefined),