From df069ee78dcfba250cebd2f120a1951e4e26a4ac Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <baris@nodebb.org>
Date: Wed, 16 Aug 2017 12:32:06 -0400
Subject: [PATCH] escape teaser content

---
 src/messaging.js | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/messaging.js b/src/messaging.js
index 99467959b3..9cb54d0fb3 100644
--- a/src/messaging.js
+++ b/src/messaging.js
@@ -3,6 +3,7 @@
 
 var async = require('async');
 var S = require('string');
+var validator = require('validator');
 
 var db = require('./database');
 var user = require('./user');
@@ -211,6 +212,7 @@ Messaging.getTeaser = function (uid, roomId, callback) {
 			}
 			if (teaser.content) {
 				teaser.content = S(teaser.content).stripTags().decodeHTMLEntities().s;
+				teaser.content = validator.escape(String(teaser.content));
 			}
 
 			teaser.timestampISO = utils.toISOString(teaser.timestamp);