SECURITY: Ensure user-stream topic titles are always escaped correctly

In core, `escapeExpression` was being applied during the model loading phase. However, plugin consumers of the UserStreamItem component were not necessarily doing the same.

This commit moves the emoji-replacement logic (which also safely handles escaping) into the component template, so that it is safe-by-default, regardless of how it's used by plugins.

app/assets/javascripts/discourse/app/components/user-stream-item.hbs

@@ -16,9 +16,9 @@
       <TopicStatus @topic={{@item}} @disableActions={{true}} />
       <span class="title">
         {{#if @item.postUrl}}
-          <a href={{@item.postUrl}}>{{html-safe @item.title}}</a>
+          <a href={{@item.postUrl}}>{{replace-emoji @item.title}}</a>
         {{else}}
-          {{html-safe @item.title}}
+          {{replace-emoji @item.title}}
         {{/if}}
       </span>
     </div>

spec/system/user_activity_posts_spec.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+describe "User activity posts", type: :system do
+  before_all { UserActionManager.enable }
+  fab!(:user)
+
+  fab!(:topic1) do
+    Fabricate(:topic, title: "Title with & characters and emoji :wave:").tap do |t|
+      Fabricate.times(2, :post, topic: t, user: user).each { |p| UserActionManager.post_created(p) }
+    end
+  end
+  fab!(:topic2) do
+    Fabricate(:topic).tap do |t|
+      Fabricate.times(2, :post, topic: t, user: user).each { |p| UserActionManager.post_created(p) }
+    end
+  end
+
+  it "lists posts with correctly-formatted titles" do
+    visit "/u/#{user.username_lower}/activity/replies"
+
+    expect(page).to have_css(".stream-topic-title .title", count: 2)
+
+    title_element = find(".stream-topic-title .title a[href*='/#{topic1.id}']")
+    expect(title_element).to have_text("Title with & characters and emoji")
+    expect(title_element).to have_css("img.emoji[title='wave']")
+  end
+end