Escape HTML in mentions box

app/assets/javascripts/app/views/publisher/mention_view.js

@@ -91,7 +91,7 @@ app.views.PublisherMention = app.views.SearchBase.extend({
    */
   updateMessageTexts: function() {
     var fakeMessageText = this.inputBox.val(),
-        mentionBoxText = fakeMessageText,
+        mentionBoxText = _.escape(fakeMessageText),
         messageText = fakeMessageText;
 
     this.mentionedPeople.forEach(function(person) {

features/desktop/posts_from_main_page.feature

@@ -196,6 +196,12 @@ Feature: posting from the main page
       And I select only "NotPostingThingsHere" aspect
       Then I should not see "I am eating a yogurt" and "And cornflakes also"
 
+    Scenario: Write html in the publisher
+      When I expand the publisher
+      Then I should not see any alert after I write the status message "<script>alert();</script>"
+      When I submit the publisher
+      Then "<script>alert();</script>" should be post 1
+
     # (NOTE) make this a jasmine spec
     Scenario: reject deletion one of my posts
       When I expand the publisher

spec/javascripts/app/views/publisher_mention_view_spec.js

@@ -197,6 +197,13 @@ describe("app.views.PublisherMention", function() {
       expect(this.view.mentionsBox.find(".mentions").html())
         .toBe("@user1 Text before <strong><span>user1</span></strong>\ntext after");
     });
+
+    it("properly escapes the user input", function() {
+      this.view.inputBox.val("<img src=\"/default.png\"> @user1 Text before \u200Buser1\ntext after");
+      this.view.updateMessageTexts();
+      expect(this.view.mentionsBox.find(".mentions").html())
+        .toBe("&lt;img src=\"/default.png\"&gt; @user1 Text before <strong><span>user1</span></strong>\ntext after");
+    });
   });
 
   describe("updateTypeaheadInput", function() {