Sanitize username and photo URL

HedgeDoc displays the username and user photo at various places
by rendering the respective variables into an `ejs` template.
As the values are user-provided or generated from user-provided data,
it may be possible to inject unwanted HTML.

This commit sanitizes the username and photo URL by passing them
through the `xss` library.

Co-authored-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com>
Signed-off-by: David Mehren <git@herrmehren.de>

lib/models/user.js

@@ -2,6 +2,7 @@
 // external modules
 const Sequelize = require('sequelize')
 const scrypt = require('scrypt-kdf')
+const filterXSS = require('xss')
 
 // core
 const logger = require('../logger')
@@ -74,7 +75,7 @@ module.exports = function (sequelize, DataTypes) {
     }
     if (profile) {
       profile = {
-        name: profile.displayName || profile.username,
+        name: filterXSS(profile.displayName || profile.username),
         photo: User.parsePhotoByProfile(profile),
         biggerphoto: User.parsePhotoByProfile(profile, true)
       }
@@ -135,7 +136,7 @@ module.exports = function (sequelize, DataTypes) {
         photo = generateAvatarURL(profile.username)
         break
     }
-    return photo
+    return filterXSS(photo)
   }
   User.parseProfileByEmail = function (email) {
     return {