From f5ac584ed5fd3a26d2422644184036a29a62c311 Mon Sep 17 00:00:00 2001
From: Tulir Asokan <tulir@maunium.net>
Date: Fri, 1 Mar 2019 23:01:44 +0200
Subject: [PATCH] Escape HTML in displaynames before putting it in the relaybot
 format

---
 mautrix_telegram/portal.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/mautrix_telegram/portal.py b/mautrix_telegram/portal.py
index 5617b1f9..d81655d7 100644
--- a/mautrix_telegram/portal.py
+++ b/mautrix_telegram/portal.py
@@ -775,7 +775,7 @@ class Portal:
 
         tpl_args = dict(mxid=user.mxid,
                         username=user.mxid_localpart,
-                        displayname=displayname)
+                        displayname=escape_html(displayname))
         tpl_args = {**tpl_args, **(arguments or {})}
         message = Template(tpl).safe_substitute(tpl_args)
         return {
@@ -907,7 +907,7 @@ class Portal:
         displayname = await self.get_displayname(sender)
         tpl_args = dict(sender_mxid=sender.mxid,
                         sender_username=sender.mxid_localpart,
-                        sender_displayname=displayname,
+                        sender_displayname=escape_html(displayname),
                         message=body)
         message["formatted_body"] = Template(tpl).safe_substitute(tpl_args)