From 1eddf4c7207d1eb3e370cde51afe385d84b05d95 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <baris@nodebb.org>
Date: Tue, 27 Sep 2016 13:31:50 +0300
Subject: [PATCH] closes #5060

---
 src/socket.io/admin/user.js | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/socket.io/admin/user.js b/src/socket.io/admin/user.js
index 42dcd23266..5ebe40665b 100644
--- a/src/socket.io/admin/user.js
+++ b/src/socket.io/admin/user.js
@@ -1,7 +1,8 @@
 "use strict";
 
-
 var async = require('async');
+var validator = require('validator');
+
 var db = require('../../database');
 var groups = require('../../groups');
 var user = require('../../user');
@@ -204,7 +205,7 @@ User.search = function(socket, data, callback) {
 
 			userData.forEach(function(user, index) {
 				if (user && userInfo[index]) {
-					user.email = userInfo[index].email || '';
+					user.email = validator.escape(String(userInfo[index].email || ''));
 					user.flags = userInfo[index].flags || 0;
 				}
 			});