fix: #7938, escape username in registration queue

src/user/approval.js

@@ -110,6 +110,7 @@ module.exports = function (User) {
 		users = users.filter(Boolean).map(function (user, index) {
 			user.timestampISO = utils.toISOString(data[index].score);
 			user.email = validator.escape(String(user.email));
+			user.usernameEscaped = validator.escape(String(user.username));
 			delete user.hashedPassword;
 			return user;
 		});

src/views/admin/manage/registration.tpl

@@ -25,7 +25,7 @@
 					</thead>
 					<tbody>
 						<!-- BEGIN users -->
-						<tr data-username="{users.username}">
+						<tr data-username="{users.usernameEscaped}">
 							<td>
 								<!-- IF users.usernameSpam -->
 								<i class="fa fa-times-circle text-danger" title="[[admin/manage/registration:list.username-spam, {users.spamData.username.frequency}, {users.spamData.username.appears}, {users.spamData.username.confidence}]]"></i>