Escape `<`, `>` and `&` to avoid type parameters being parsed as HTML

src/notification_listing.rs

@@ -27,10 +27,19 @@ pub async fn render(db: &DbClient, user: &str) -> String {
             notification
                 .short_description
                 .as_ref()
-                .unwrap_or(&notification.origin_url),
+                .unwrap_or(&notification.origin_url)
+                .replace('&', "&")
+                .replace('<', "&lt;")
+                .replace('>', "&gt;"),
         ));
         if let Some(metadata) = &notification.metadata {
-            out.push_str(&format!("<ul><li>{}</li></ul>", metadata));
+            out.push_str(&format!(
+                "<ul><li>{}</li></ul>",
+                metadata
+                    .replace('&', "&amp;")
+                    .replace('<', "&lt;")
+                    .replace('>', "&gt;"),
+            ));
         }
         out.push_str("</li>");
     }