Merge pull request #13084 from overleaf/ds-jpa-system-messages-html-escape

[web] escape HTML content in system messages as rendered via angular

GitOrigin-RevId: 88e711a1c6f4f9f70c09ca723893a48a0ec262c1

services/web/app/views/project/editor.pug

@@ -63,7 +63,8 @@ block content
 					button(ng-hide="protected",ng-click="hide()").close.pull-right
 						span(aria-hidden="true") ×
 						span.sr-only #{translate("close")}
-					.system-message-content(ng-bind-html="htmlContent")
+					.system-message-content
+						| {{htmlContent}}
 
 			grammarly-warning(delay=10000)
 			if hasFeature('saas')

services/web/app/views/project/list.pug

@@ -34,7 +34,8 @@ block content
 				button(ng-hide="protected",ng-click="hide()").close.pull-right
 					span(aria-hidden="true") ×
 					span.sr-only #{translate("close")}
-				.system-message-content(ng-bind-html="htmlContent")
+				.system-message-content
+					| {{htmlContent}}
 
 			include ../translations/translation_message