User names associated with ticket attachments are not HTML-escaped
|Reported by:||Christopher Lenz||Owned by:||Jonas Borgström|
As can be seen on ticket #791 (as of this writing), the name of the user that has added an attachment to the ticket is not escaped. In particular, this is a problem with session names including the email address, such as
Tom example <email@example.com>. Here the email address in interpreted as a tag by browsers.