🛡️ Sentinel: [HIGH] Fix XSS / HTML Injection in Media Filenames and Inviter Details

[kevinaboos]

🚨 Severity: HIGH
💡 Vulnerability: Unsanitized user inputs (filenames, user IDs, and display names) were being passed directly into format!() macros and rendered dynamically as HTML via the show_html function in Makepad widgets. This constitutes a Cross-Site Scripting (XSS) or HTML Injection vulnerability, where an attacker could provide malicious payloads in file names or their display name to inject arbitrary HTML into the UI context.
🎯 Impact: If exploited, this could allow an attacker to disrupt the UI, mislead users, or potentially execute unintended operations in the context of the application by injecting elements such as <script> or fake links.
🔧 Fix: Wrapped the relevant variables in htmlize::escape_text(...) before inserting them into HTML-destined formatted strings. This ensures that any HTML entities (like <, >, &) are properly escaped and displayed as plain text instead of being executed by the HTML parser. The fix was applied across the room_screen.rs (for file, audio, and video filenames) and rooms_list_entry.rs (for inviter details).
✅ Verification: Ran cargo check, cargo clippy, and the test suite via cargo test --lib -- tests. All tests and checks passed. No layout regressions were introduced.

---

PR created automatically by Jules for task 24851588514841085 started by @kevinaboos

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.