FIX: Escape names

assets/javascripts/discourse/components/solved-accepted-answer.gjs

@@ -9,6 +9,7 @@ import PostCookedHtml from "discourse/components/post/cooked-html";
 import concatClass from "discourse/helpers/concat-class";
 import icon from "discourse/helpers/d-icon";
 import { ajax } from "discourse/lib/ajax";
+import escape from "discourse/lib/escape";
 import { iconHTML } from "discourse/lib/icon-library";
 import { formatUsername } from "discourse/lib/utilities";
 import { i18n } from "discourse-i18n";
@@ -45,7 +46,7 @@ export default class SolvedAcceptedAnswer extends Component {
 
     const formattedUsername =
       this.siteSettings.display_name_on_posts && name
-        ? name
+        ? escape(name)
         : formatUsername(username);
 
     return htmlSafe(
@@ -67,7 +68,7 @@ export default class SolvedAcceptedAnswer extends Component {
 
     const displayedUser =
       this.siteSettings.display_name_on_posts && name
-        ? name
+        ? escape(name)
         : formatUsername(username);
 
     const data = {

assets/javascripts/discourse/components/solved-unaccept-answer-button.gjs

@@ -6,6 +6,7 @@ import DButton from "discourse/components/d-button";
 import icon from "discourse/helpers/d-icon";
 import { ajax } from "discourse/lib/ajax";
 import { popupAjaxError } from "discourse/lib/ajax-error";
+import escape from "discourse/lib/escape";
 import { formatUsername } from "discourse/lib/utilities";
 import { i18n } from "discourse-i18n";
 import DTooltip from "float-kit/components/d-tooltip";
@@ -57,7 +58,7 @@ export default class SolvedUnacceptAnswerButton extends Component {
     const name = this.args.post.topic.accepted_answer.accepter_name;
     const displayedName =
       this.siteSettings.display_name_on_posts && name
-        ? name
+        ? escape(name)
         : formatUsername(username);
     if (this.args.post.topic.accepted_answer.accepter_username) {
       return i18n("solved.marked_solved_by", {

spec/system/solved_spec.rb

@@ -3,7 +3,7 @@
 describe "About page", type: :system do
   fab!(:admin)
   fab!(:solver) { Fabricate(:user) }
-  fab!(:accepter) { Fabricate(:user) }
+  fab!(:accepter) { Fabricate(:user, name: "<b>DERP<b>") }
   fab!(:topic) { Fabricate(:post, user: admin).topic }
   fab!(:post1) { Fabricate(:post, topic:, user: solver, cooked: "The answer is 42") }
   let(:topic_page) { PageObjects::Pages::Topic.new }
@@ -16,7 +16,10 @@ describe "About page", type: :system do
   end
 
   %w[enabled disabled].each do |value|
-    before { SiteSetting.glimmer_post_stream_mode = value }
+    before do
+      SiteSetting.glimmer_post_stream_mode = value
+      SiteSetting.display_name_on_posts = true
+    end
 
     context "when glimmer_post_stream_mode=#{value}" do
       it "accepts post as solution and shows in OP" do
@@ -30,10 +33,10 @@ describe "About page", type: :system do
 
         expect(topic_page).to have_css(".post-action-menu__solved-accepted")
         expect(topic_page.find(".title .accepted-answer--solver")).to have_content(
-          "Solved by #{solver.username}",
+          "Solved by #{solver.name}",
         )
         expect(topic_page.find(".title .accepted-answer--accepter")).to have_content(
-          "Marked as solved by #{accepter.username}",
+          "Marked as solved by #{accepter.name}",
         )
         expect(topic_page.find("blockquote")).to have_content("The answer is 42")
       end