Merge pull request #16552 from jjcoffee/15700

Escape HTML in welcome message

src/libs/actions/Policy.js

@@ -271,7 +271,9 @@ function addMembersToWorkspace(memberLogins, welcomeNote, policyID) {
 
     API.write('AddMembersToWorkspace', {
         employees: JSON.stringify(_.map(logins, login => ({email: login}))),
-        welcomeNote,
+
+        // Escape HTML special chars to enable them to appear in the invite email
+        welcomeNote: _.escape(welcomeNote),
         policyID,
     }, {optimisticData, successData, failureData});
 }