fix(xss): escape user data in ConfirmModal and soft-delete flash

Escapes group.name before passing to ConfirmModal's v-html rendered
delete/archive confirmation messages in GroupActions.vue. Also escapes
user name in the soft-delete flash message in UserController to prevent
stored XSS when an admin deletes a user with a malicious name.

Author: ardelato

app/Http/Controllers/UserController.php

@@ -294,7 +294,7 @@ public function postSoftDeleteUser(Request $request): RedirectResponse
 
         if (Auth::id() !== $user_id) {
             return redirect('user/all')->with('danger', __('profile.soft_deleted', [
-                'name' => $old_user_name
+                'name' => e($old_user_name)
             ]));
         } else {
             return redirect('login');

resources/js/components/GroupActions.vue

@@ -56,10 +56,10 @@
     <ConfirmModal :key="'leavegroupmodal-' + idgroups" ref="confirmLeave" @confirm="leaveConfirmed"
       :message="__('groups.leave_group_confirm')" />
     <ConfirmModal :key="'deletegroupmodal-' + idgroups" ref="confirmDelete" @confirm="deleteConfirmed" :message="__('groups.delete_group_confirm', {
-      name: group.name
+      name: escapeHtml(group.name)
     })" />
     <ConfirmModal :key="'archivegroupmodal-' + idgroups" ref="confirmArchive" @confirm="archiveConfirmed" :message="__('groups.archive_group_confirm', {
-      name: group.name
+      name: escapeHtml(group.name)
     })" />
   </div>
 </template>
@@ -100,6 +100,11 @@ export default {
     }
   },
   methods: {
+    escapeHtml(str) {
+      const el = document.createElement('span')
+      el.textContent = str
+      return el.innerHTML
+    },
     leaveGroup() {
       this.$refs.confirmLeave.show()
     },