Profile: encode special XML characters in usernames and descriptions

this fixes the problem of profiles not rendering when a user has
special characters such as < or > in their name or status.
We didn't implement proper sanitization considering this method of
profile rendering is going to be obsolete soon.

commands/profile.js

@@ -29,10 +29,10 @@ module.exports = {
         let profile = await user.getProfile();
 
         let customStatus = profile.customStatus.replace(/(.{0,40}[\s])/g, '<tspan x="443" dy="1.2em">$1</tspan>');
-
+          
         let profileTemplate = fs.readFileSync('/app/assets/profile/profile.svg').toString();
-        profileTemplate = profileTemplate.replace(/{{USERNAME}}/g, discordUser.username.substr(0,15)+(discordUser.username.length>15?'...':''));
+        profileTemplate = profileTemplate.replace(/{{USERNAME}}/g, this.encodeStr(discordUser.username.substr(0,15)+(discordUser.username.length>15?'...':'')));
-        profileTemplate = profileTemplate.replace(/{{PROFILE_TEXT}}/g, customStatus );
+        profileTemplate = profileTemplate.replace(/{{PROFILE_TEXT}}/g, this.encodeStr(customStatus) );
         profileTemplate = profileTemplate.replace(/{{HEADER_COLOR}}/g, '190,31,97');
         profileTemplate = profileTemplate.replace(/{{CC}}/g, await Card.count({where: {userId: user.id}}));
         profileTemplate = profileTemplate.replace(/{{LVL}}/g, await user.level().currentLevel);
@@ -64,5 +64,16 @@ module.exports = {
 
         let profileImage = await Compositing.renderProfile(profile, background, renderedCards);
         await interaction.editReply({ files: [profileImage] });
+    },
+    encodeStr: function(str) {
+        let charMapping = {
+            '&': '&amp;',
+            '"': '&quot;',
+            '<': '&lt;',
+            '>': '&gt;'
+        };
+        return str.replace(/([\&"<>])/g, function(str, item) {
+            return charMapping[item];
+        });
     }
 }