From 2d33a2296ffb7ebc2b0348f27c0b7c648c587516 Mon Sep 17 00:00:00 2001
From: Andy Butland <abutland73@gmail.com>
Date: Fri, 14 Feb 2025 15:28:05 +0100
Subject: [PATCH] Html encodes the user's name in the invite email.

---
 src/Umbraco.Web.BackOffice/Controllers/UsersController.cs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/Umbraco.Web.BackOffice/Controllers/UsersController.cs b/src/Umbraco.Web.BackOffice/Controllers/UsersController.cs
index 960afa365e9a..f5486ff85926 100644
--- a/src/Umbraco.Web.BackOffice/Controllers/UsersController.cs
+++ b/src/Umbraco.Web.BackOffice/Controllers/UsersController.cs
@@ -664,10 +664,11 @@ private async Task SendUserInviteEmailAsync(UserBasic? userDisplay, string? from
         var emailSubject = _localizedTextService.Localize("user", "inviteEmailCopySubject",
             // Ensure the culture of the found user is used for the email!
             UmbracoUserExtensions.GetUserCulture(to?.Language, _localizedTextService, _globalSettings));
+        var name = userDisplay is null ? string.Empty : System.Web.HttpUtility.HtmlEncode(userDisplay.Name);
         var emailBody = _localizedTextService.Localize("user", "inviteEmailCopyFormat",
             // Ensure the culture of the found user is used for the email!
             UmbracoUserExtensions.GetUserCulture(to?.Language, _localizedTextService, _globalSettings),
-            new[] { userDisplay?.Name, from, WebUtility.HtmlEncode(message)!.ReplaceLineEndings("<br/>"), inviteUri.ToString(), senderEmail });
+            new[] { name, from, WebUtility.HtmlEncode(message)!.ReplaceLineEndings("<br/>"), inviteUri.ToString(), senderEmail });
 
         // This needs to be in the correct mailto format including the name, else
         // the name cannot be captured in the email sending notification.