Always escape initials in LetterAvatarProvider

ChangeLog

@@ -38,6 +38,10 @@ Bug fixes:
 
 * Upload files button stay disabled when there are other submit buttons on the same page
 * Hiding subtasks from hidden tasks in dashboard
+
+Security:
+
+* Fix XSS in LetterAvatarProvider (render broken image)
 * Avoid potential XSS in project overview when listing users (was avoided by default CSP rules)
 
 Version 1.0.39 (Feb 12, 2017)

app/User/Avatar/LetterAvatarProvider.php

@@ -39,7 +39,7 @@ class LetterAvatarProvider extends Base implements AvatarProviderInterface
             $rgb[1],
             $rgb[2],
             $this->helper->text->e($user['name'] ?: $user['username']),
-            $initials
+            $this->helper->text->e($initials)
         );
     }