tatoeba2 Profile Name cross site scripting

An attacker can inject arbitrary HTML or JavaScript into the profile name field via the user profile edit page at `/user/edit_profile` [ref_id=1]. When another user visits the attacker's profile, the injected script executes in the victim's browser context, enabling cross-site scripting (XSS) attacks that could lead to session hijacking or account takeover [ref_id=1]. The attack is remote and requires no special privileges beyond a logged-in account to edit one's own profile name.

The vulnerability is in the Profile Name Handler component of tatoeba2, which does not sanitize user-supplied HTML in the profile name field [ref_id=1]. The patch also addresses a related unsanitized output issue in private message titles across multiple view files, applying `h()` (HTML-encoding) to `$title`, `$messageTitle`, and `$message->title` [ref_id=2].

The patch wraps previously unsanitized output with CakePHP's `h()` function (which HTML-encodes special characters) in three locations: the private message notification email template, the inbox listing, and the message detail view [ref_id=2]. This ensures that any HTML or JavaScript in user-supplied title text is rendered as safe text rather than executed by the browser. The fix was included in version prod_2022-10-30 [ref_id=1].

1. Log in to a tatoeba2 instance and navigate to `https://dev.tatoeba.org/user/edit_profile`. 2. In the "Name" field, enter `<script>alert("hello")</script>` (or any HTML/JavaScript payload) and save. 3. Visit the attacker's profile page — the injected HTML/script will execute in the viewer's browser [ref_id=1].