fix prod escaping

lib/Alchemy/Phrasea/Controller/Prod/PushController.php

@@ -597,7 +597,7 @@ class PushController extends Controller
 
     private function formatUser(User $user)
     {
-        $subtitle = array_filter([$user->getJob(), $user->getCompany()]);
+        $subtitle = array_filter([htmlspecialchars($user->getJob()), htmlspecialchars($user->getCompany())]);
 
         return [
             'type'         => 'USER',

lib/classes/record/adapter.php

@@ -939,7 +939,7 @@ class record_adapter implements RecordInterface, cache_cacheableInterface
             $this->set_data_to_cache(self::CACHE_TITLE, $title);
         }
 
-        return $title;
+        return htmlspecialchars($title);
     }
 
     /**

lib/classes/record/preview.php

@@ -149,7 +149,7 @@ class record_preview extends record_adapter
                         $this->original_item = $element;
                         $sbas_id = $element->getSbasId();
                         $record_id = $element->getRecordId();
-                        $this->name = $Basket->getName();
+                        $this->name = htmlspecialchars($Basket->getName());
                         $number = $element->getOrd();
                         $first = false;
                     }
@@ -169,7 +169,7 @@ class record_preview extends record_adapter
                     if ($element->getOrd() == $pos || $first) {
                         $sbas_id = $element->getSbasId();
                         $record_id = $element->getRecordId();
-                        $this->name = $entry->getTitle();
+                        $this->name = htmlspecialchars($entry->getTitle());
                         $this->original_item = $element;
                         $number = $element->getOrd();
                         $first = false;