From 42a5a127b6a55483c800a7f459b12fc62c63c6a5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <barisusakli@gmail.com>
Date: Tue, 22 Apr 2025 11:46:03 -0400
Subject: [PATCH] fix: escape displayname in topic events

---
 src/topics/events.js | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/topics/events.js b/src/topics/events.js
index 10ab9b8936..0748318c37 100644
--- a/src/topics/events.js
+++ b/src/topics/events.js
@@ -1,5 +1,6 @@
 'use strict';
 
+const validator = require('validator');
 const _ = require('lodash');
 const nconf = require('nconf');
 const db = require('../database');
@@ -107,7 +108,13 @@ function renderUser(event) {
 	if (!event.user || event.user.system) {
 		return '[[global:system-user]]';
 	}
-	return `${helpers.buildAvatar(event.user, '16px', true)} <a href="${relative_path}/user/${event.user.userslug}">${event.user.displayname}</a>`;
+
+	const user = {
+		...event.user,
+		displayname: validator.escape(String(event.user.displayname)),
+	};
+
+	return `${helpers.buildAvatar(user, '16px', true)} <a href="${relative_path}/user/${user.userslug}">${user.displayname}</a>`;
 }
 
 function renderTimeago(event) {