compose: HTML-escape errors from server for compose_error.

Signed-off-by: Anders Kaseorg <anders@zulip.com>

static/js/compose.js

@@ -379,7 +379,7 @@ export function send_message(request = create_message_object()) {
         // If we're not local echo'ing messages, or if this message was not
         // locally echoed, show error in compose box
         if (!locally_echoed) {
-            compose_error(response, $("#compose-textarea"));
+            compose_error(_.escape(response), $("#compose-textarea"));
             return;
         }
 
@@ -1149,7 +1149,7 @@ export function initialize() {
 
         function failure(error_msg) {
             clear_invites();
-            compose_error(error_msg, $("#compose-textarea"));
+            compose_error(_.escape(error_msg), $("#compose-textarea"));
             $(event.target).prop("disabled", true);
         }
 

static/js/reminder.js

@@ -1,4 +1,5 @@
 import $ from "jquery";
+import _ from "lodash";
 
 import * as channel from "./channel";
 import * as compose from "./compose";
@@ -96,7 +97,7 @@ export function schedule_message(request = compose.create_message_object()) {
     };
     const error = function (response) {
         $("#compose-textarea").prop("disabled", false);
-        compose.compose_error(response, $("#compose-textarea"));
+        compose.compose_error(_.escape(response), $("#compose-textarea"));
     };
     /* We are adding a disable on compose under this block because we
     want slash commands to be blocking in nature. */