escape moderation notes

src/controllers/accounts/info.js

@@ -47,11 +47,7 @@ infoController.get = function (req, res, callback) {
 				},
 			}, next);
 		},
-	], function (err, data) {
-		if (err) {
-			return callback(err);
-		}
-
+		function (data) {
 			userData.history = data.history;
 			userData.sessions = data.sessions;
 			userData.usernames = data.usernames;
@@ -66,5 +62,6 @@ infoController.get = function (req, res, callback) {
 			userData.breadcrumbs = helpers.buildBreadcrumbs([{ text: userData.username, url: '/user/' + userData.userslug }, { text: '[[user:account_info]]' }]);
 
 			res.render('account/info', userData);
-	});
+		},
+	], callback);
 };

src/user/info.js

@@ -166,6 +166,7 @@ module.exports = function (User) {
 						var data = JSON.parse(note);
 						uids.push(data.uid);
 						data.timestampISO = utils.toISOString(data.timestamp);
+						data.note = validator.escape(String(data.note));
 						return data;
 					} catch (err) {
 						return next(err);

test/user.js

@@ -1236,15 +1236,16 @@ describe('User', function () {
 					setTimeout(next, 50);
 				},
 				function (next) {
-					socketUser.setModerationNote({ uid: adminUid }, { uid: testUid, note: 'second moderation note' }, next);
+					socketUser.setModerationNote({ uid: adminUid }, { uid: testUid, note: '<svg/onload=alert(document.location);//' }, next);
 				},
 				function (next) {
 					User.getModerationNotes(testUid, 0, -1, next);
 				},
 			], function (err, notes) {
 				assert.ifError(err);
-				assert.equal(notes[0].note, 'second moderation note');
+				assert.equal(notes[0].note, '&lt;svg&#x2F;onload=alert(document.location);&#x2F;&#x2F;');
 				assert.equal(notes[0].uid, adminUid);
+				assert.equal(notes[1].note, 'this is a test user');
 				assert(notes[0].timestamp);
 				done();
 			});