SECURITY: Backport XSS fix

app/helpers/application_helper.rb

@@ -74,8 +74,9 @@ module ApplicationHelper
     end
   end
 
-  def unescape_emoji(title)
+  def format_topic_title(title)
     PrettyText.unescape_emoji(title)
+    strip_tags(title)
   end
 
   def with_format(format, &block)

app/views/user_notifications/digest.html.erb

@@ -20,7 +20,7 @@
 
       <%- @featured_topics.each_with_index do |t, i| %>
         <div class='featured-topic'>
-          <a href='<%= Discourse.base_url + t.relative_url %>'><%= raw unescape_emoji(t.title) %></a>
+          <a href='<%= Discourse.base_url + t.relative_url %>'><%= raw format_topic_title(t.title) %></a>
           <br/>
           <%= category_badge(t.category, inline_style: true, absolute_url: true) %>
         </div>
@@ -43,7 +43,7 @@
       <%- @new_topics.each do |t| %>
         <ul>
           <li>
-            <a href='<%= Discourse.base_url + t.relative_url %>'><%= raw unescape_emoji(t.title) %></a>
+            <a href='<%= Discourse.base_url + t.relative_url %>'><%= raw format_topic_title(t.title) %></a>
             <span class='post-count'><%= t.posts_count %></span>
             <%= category_badge(t.category, inline_style: true, absolute_url: true) %>
           </li>