From c8ca0d521c4de7f23add9866761d51cd87aef270 Mon Sep 17 00:00:00 2001
From: Jakob Ackermann <jakob.ackermann@overleaf.com>
Date: Mon, 15 May 2023 14:55:26 +0100
Subject: [PATCH] Merge pull request #13084 from
 overleaf/ds-jpa-system-messages-html-escape

[web] escape HTML content in system messages as rendered via angular

GitOrigin-RevId: 88e711a1c6f4f9f70c09ca723893a48a0ec262c1
---
 services/web/app/views/project/editor.pug | 3 ++-
 services/web/app/views/project/list.pug   | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/services/web/app/views/project/editor.pug b/services/web/app/views/project/editor.pug
index 37eac4a124..051f89ccf2 100644
--- a/services/web/app/views/project/editor.pug
+++ b/services/web/app/views/project/editor.pug
@@ -63,7 +63,8 @@ block content
 					button(ng-hide="protected",ng-click="hide()").close.pull-right
 						span(aria-hidden="true") &times;
 						span.sr-only #{translate("close")}
-					.system-message-content(ng-bind-html="htmlContent")
+					.system-message-content
+						| {{htmlContent}}
 
 			grammarly-warning(delay=10000)
 			if hasFeature('saas')
diff --git a/services/web/app/views/project/list.pug b/services/web/app/views/project/list.pug
index bdb9dac3aa..9e0072ba69 100644
--- a/services/web/app/views/project/list.pug
+++ b/services/web/app/views/project/list.pug
@@ -34,7 +34,8 @@ block content
 				button(ng-hide="protected",ng-click="hide()").close.pull-right
 					span(aria-hidden="true") &times;
 					span.sr-only #{translate("close")}
-				.system-message-content(ng-bind-html="htmlContent")
+				.system-message-content
+					| {{htmlContent}}
 
 			include ../translations/translation_message