Also escape `"` and `'` just in case

src/notification_listing.rs

@@ -30,7 +30,9 @@ pub async fn render(db: &DbClient, user: &str) -> String {
                 .unwrap_or(&notification.origin_url)
                 .replace('&', "&")
                 .replace('<', "&lt;")
-                .replace('>', "&gt;"),
+                .replace('>', "&gt;")
+                .replace('"', "&quot;")
+                .replace('\'', "&#39;"),
         ));
         if let Some(metadata) = &notification.metadata {
             out.push_str(&format!(
@@ -38,7 +40,9 @@ pub async fn render(db: &DbClient, user: &str) -> String {
                 metadata
                     .replace('&', "&amp;")
                     .replace('<', "&lt;")
-                    .replace('>', "&gt;"),
+                    .replace('>', "&gt;")
+                    .replace('"', "&quot;")
+                    .replace('\'', "&#39;"),
             ));
         }
         out.push_str("</li>");