SECURITY: Fix XSS in full name composer reply

We are using htmlSafe when rendering the name field so we need to escape
any html being passed in.

app/assets/javascripts/discourse/app/components/composer-action-title.js

@@ -12,6 +12,7 @@ import { alias } from "@ember/object/computed";
 import discourseComputed from "discourse-common/utils/decorators";
 import { iconHTML } from "discourse-common/lib/icon-library";
 import { htmlSafe } from "@ember/template";
+import { escape } from "pretty-text/sanitizer";
 
 const TITLES = {
   [PRIVATE_MESSAGE]: "topic.private_message",
@@ -84,7 +85,9 @@ export default Component.extend({
   },
 
   _formatReplyToUserPost(avatar, link) {
-    const htmlLink = `<a class="user-link" href="${link.href}">${link.anchor}</a>`;
+    const htmlLink = `<a class="user-link" href="${link.href}">${escape(
+      link.anchor
+    )}</a>`;
     return htmlSafe(`${avatar}${htmlLink}`);
   },
 });

app/assets/javascripts/discourse/tests/acceptance/composer-actions-test.js

@@ -518,11 +518,11 @@ acceptance("Prioritize Full Name", function (needs) {
 
   test("Reply to post use full name", async function (assert) {
     await visit("/t/short-topic-with-two-posts/54079");
-    await click("article#post_2 button.reply");
+    await click("article#post_3 button.reply");
 
     assert.strictEqual(
-      query(".action-title .user-link").innerText.trim(),
-      "james, john, the third"
+      query(".action-title .user-link").innerHTML.trim(),
+      "<h1>Tim Stone</h1>"
     );
   });
 

app/assets/javascripts/discourse/tests/fixtures/topic.js

@@ -6497,7 +6497,7 @@ export default {
         },
         {
           id: 419,
-          name: "Tim Stone",
+          name: "<h1>Tim Stone</h1>",
           username: "tms",
           avatar_template: "/letter_avatar_proxy/v4/letter/t/3be4f8/{size}.png",
           uploaded_avatar_id: 40181,