From 9bfa885392337ad163e174aebbd194d3a526e9ab Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <barisusakli@gmail.com>
Date: Fri, 21 Feb 2025 11:30:50 -0500
Subject: [PATCH] fix: escape confirm email in acp manage users

---
 src/controllers/admin/users.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/controllers/admin/users.js b/src/controllers/admin/users.js
index 4ea3ebb9e5..14e50bf9eb 100644
--- a/src/controllers/admin/users.js
+++ b/src/controllers/admin/users.js
@@ -199,7 +199,7 @@ async function loadUserInfo(callerUid, uids) {
 				const confirmObj = confirmObjs[index];
 				user['email:expired'] = !confirmObj.expires || Date.now() >= confirmObj.expires;
 				user['email:pending'] = confirmObj.expires && Date.now() < confirmObj.expires;
-				user.emailToConfirm = confirmObj.email;
+				user.emailToConfirm = validator.escape(String(confirmObj.email));
 			}
 		}
 	});