From f8d11c6479b2680bdc7f593485764e1a4f4f7782 Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <anders@zulip.com>
Date: Wed, 3 Feb 2021 14:48:26 -0800
Subject: [PATCH] compose: Generate properly escaped HTML.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
---
 static/js/compose.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/static/js/compose.js b/static/js/compose.js
index 5b025205fa..a61f06b7c5 100644
--- a/static/js/compose.js
+++ b/static/js/compose.js
@@ -1,6 +1,7 @@
 "use strict";
 
 const Handlebars = require("handlebars/runtime");
+const _ = require("lodash");
 
 const render_compose_all_everyone = require("../templates/compose_all_everyone.hbs");
 const render_compose_announce = require("../templates/compose_announce.hbs");
@@ -901,7 +902,7 @@ exports.render_and_show_preview = function (preview_spinner, preview_content_box
             // Handle previews of /me messages
             rendered_preview_html =
                 "<p><strong>" +
-                page_params.full_name +
+                _.escape(page_params.full_name) +
                 "</strong>" +
                 rendered_content.slice("<p>/me".length);
         } else {