fix: #7354

src/controllers/accounts/helpers.js

@@ -189,7 +189,6 @@ helpers.getUserDataByUserSlug = function (userslug, callerUID, callback) {
 			userData.websiteLink = !userData.website.startsWith('http') ? 'http://' + userData.website : userData.website;
 			userData.websiteName = userData.website.replace(validator.escape('http://'), '').replace(validator.escape('https://'), '');
 
-			userData.email = validator.escape(String(userData.email || ''));
 			userData.fullname = validator.escape(String(userData.fullname || ''));
 			userData.location = validator.escape(String(userData.location || ''));
 			userData.signature = validator.escape(String(userData.signature || ''));

src/controllers/admin/users.js

@@ -1,7 +1,6 @@
 'use strict';
 
 var async = require('async');
-var validator = require('validator');
 var nconf = require('nconf');
 
 var user = require('../../user');
@@ -156,7 +155,6 @@ function getUsers(set, section, min, max, req, res, next) {
 		},
 		function (results) {
 			results.users = results.users.filter(function (user) {
-				user.email = validator.escape(String(user.email || ''));
 				return user && parseInt(user.uid, 10);
 			});
 			var data = {

src/socket.io/admin/user.js

@@ -1,7 +1,6 @@
 'use strict';
 
 var async = require('async');
-var validator = require('validator');
 var winston = require('winston');
 
 var db = require('../../database');
@@ -210,7 +209,7 @@ User.search = function (socket, data, callback) {
 		function (userInfo, next) {
 			searchData.users.forEach(function (user, index) {
 				if (user && userInfo[index]) {
-					user.email = validator.escape(String(userInfo[index].email || ''));
+					user.email = userInfo[index].email;
 					user.flags = userInfo[index].flags || 0;
 					user.lastonlineISO = userInfo[index].lastonlineISO;
 					user.joindateISO = userInfo[index].joindateISO;

src/user/approval.js

@@ -180,9 +180,7 @@ module.exports = function (User) {
 			},
 			function (_data, next) {
 				data = _data;
-				var keys = data.filter(Boolean).map(function (user) {
-					return 'registration:queue:name:' + user.value;
-				});
+				var keys = data.filter(Boolean).map(user => 'registration:queue:name:' + user.value);
 				db.getObjects(keys, next);
 			},
 			function (users, next) {

src/user/create.js

@@ -1,7 +1,6 @@
 'use strict';
 
 var async = require('async');
-var validator = require('validator');
 var zxcvbn = require('zxcvbn');
 var db = require('../database');
 var utils = require('../utils');
@@ -15,7 +14,7 @@ module.exports = function (User) {
 		data.username = data.username.trim();
 		data.userslug = utils.slugify(data.username);
 		if (data.email !== undefined) {
-			data.email = validator.escape(String(data.email).trim());
+			data.email = String(data.email).trim();
 		}
 		var timestamp = data.timestamp || Date.now();
 		var userData;

src/user/data.js

@@ -159,6 +159,10 @@ module.exports = function (User) {
 				user.username = validator.escape(user.username ? user.username.toString() : '');
 			}
 
+			if (user.hasOwnProperty('email')) {
+				user.email = validator.escape(user.email ? user.email.toString() : '');
+			}
+
 			if (!parseInt(user.uid, 10)) {
 				user.uid = 0;
 				user.username = (user.hasOwnProperty('oldUid') && parseInt(user.oldUid, 10)) ? '[[global:former_user]]' : '[[global:guest]]';

test/user.js

@@ -60,6 +60,17 @@ describe('User', function () {
 			});
 		});
 
+		it('should be created properly', function (done) {
+			User.create({ username: 'weirdemail', email: '<h1>test</h1>@gmail.com' }, function (err, uid) {
+				assert.ifError(err);
+				User.getUserData(uid, function (err, data) {
+					assert.ifError(err);
+					assert.equal(data.email, '&lt;h1&gt;test&lt;&#x2F;h1&gt;@gmail.com');
+					done();
+				});
+			});
+		});
+
 		it('should have a valid email, if using an email', function (done) {
 			User.create({ username: userData.username, password: userData.password, email: 'fakeMail' }, function (err) {
 				assert(err);