From 1471ebc3f39fb5f71a5f6d12dcf0a46435be21ac Mon Sep 17 00:00:00 2001
From: Alexander Ebert <ebert@woltlab.com>
Date: Thu, 2 Feb 2017 20:16:08 +0100
Subject: [PATCH] Fixed escaping issue

---
 .../install/files/js/WoltLabSuite/Core/Ui/Redactor/Mention.js | 4 ++--
 wcfsetup/install/lang/de.xml                                  | 2 +-
 wcfsetup/install/lang/en.xml                                  | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/wcfsetup/install/files/js/WoltLabSuite/Core/Ui/Redactor/Mention.js b/wcfsetup/install/files/js/WoltLabSuite/Core/Ui/Redactor/Mention.js
index 8bce8ab7fe..0100a4822c 100644
--- a/wcfsetup/install/files/js/WoltLabSuite/Core/Ui/Redactor/Mention.js
+++ b/wcfsetup/install/files/js/WoltLabSuite/Core/Ui/Redactor/Mention.js
@@ -1,4 +1,4 @@
-define(['Ajax', 'Environment', 'Ui/CloseOverlay'], function(Ajax, Environment, UiCloseOverlay) {
+define(['Ajax', 'Environment', 'StringUtil', 'Ui/CloseOverlay'], function(Ajax, Environment, StringUtil, UiCloseOverlay) {
 	"use strict";
 	
 	var _dropdownContainer = null;
@@ -385,7 +385,7 @@ define(['Ajax', 'Environment', 'Ui/CloseOverlay'], function(Ajax, Environment, U
 				link = elCreate('a');
 				link.addEventListener('mousedown', callbackClick);
 				link.className = 'box16';
-				link.innerHTML = '<span>' + user.icon + '</span> <span>' + user.label + '</span>';
+				link.innerHTML = '<span>' + user.icon + '</span> <span>' + StringUtil.escapeHTML(user.label) + '</span>';
 				elData(link, 'user-id', user.objectID);
 				elData(link, 'username', user.label);
 				
diff --git a/wcfsetup/install/lang/de.xml b/wcfsetup/install/lang/de.xml
index 1a0f16488c..6bff307de5 100644
--- a/wcfsetup/install/lang/de.xml
+++ b/wcfsetup/install/lang/de.xml
@@ -2049,7 +2049,7 @@ Erlaubte Dateiendungen: {', '|implode:$attachmentHandler->getFormattedAllowedExt
 		<item name="wcf.bbcode.quote.edit.author"><![CDATA[Autor]]></item>
 		<item name="wcf.bbcode.quote.edit.link"><![CDATA[Quelle]]></item>
 		<item name="wcf.bbcode.quote.insert"><![CDATA[Zitat einfÃ¼gen]]></item>
-		<item name="wcf.bbcode.quote.title"><![CDATA[{@$quoteAuthor} schrieb:]]></item>
+		<item name="wcf.bbcode.quote.title"><![CDATA[{$quoteAuthor} schrieb:]]></item>
 		<item name="wcf.bbcode.quote.title.clickToSet"><![CDATA[(Klicken um eine Quelle anzugeben)]]></item>
 		<item name="wcf.bbcode.quote.title.javascript"><![CDATA[{literal}{$quoteAuthor} schrieb:{/literal}]]></item>
 		<item name="wcf.bbcode.quote.simplified"><![CDATA[(Zitat{if $cite} von {$cite}{/if})]]></item>
diff --git a/wcfsetup/install/lang/en.xml b/wcfsetup/install/lang/en.xml
index bd7be63699..e43b7dc502 100644
--- a/wcfsetup/install/lang/en.xml
+++ b/wcfsetup/install/lang/en.xml
@@ -2009,7 +2009,7 @@ Allowed extensions: {', '|implode:$attachmentHandler->getFormattedAllowedExtensi
 		<item name="wcf.bbcode.quote.edit.author"><![CDATA[Author]]></item>
 		<item name="wcf.bbcode.quote.edit.link"><![CDATA[Source]]></item>
 		<item name="wcf.bbcode.quote.insert"><![CDATA[Insert Quote]]></item>
-		<item name="wcf.bbcode.quote.title"><![CDATA[{@$quoteAuthor} wrote:]]></item>
+		<item name="wcf.bbcode.quote.title"><![CDATA[{$quoteAuthor} wrote:]]></item>
 		<item name="wcf.bbcode.quote.title.clickToSet"><![CDATA[(Click to set source)]]></item>
 		<item name="wcf.bbcode.quote.title.javascript"><![CDATA[{literal}{$quoteAuthor} wrote:{/literal}]]></item>
 		<item name="wcf.bbcode.quote.simplified"><![CDATA[(Quote{if $cite} from {$cite}{/if})]]></item>
-- 
2.20.1

