fix(#1648 M3): don't escape sprite HTML in mobile channel avatar

Mobile channel rows (renderChannelRowMobile) call avatarTextForChannel() which now returns either a 2-char text abbreviation or Phosphor sprite HTML (ph-lock / ph-key) for encrypted / user-added channels. The mobile renderer was unconditionally escapeHtml()-ing the result, so sprite HTML leaked into the avatar as visible escaped text on phone-width viewports. Detect 'starts with <svg' and emit raw HTML in that case; keep escapeHtml() for the plain-text abbreviation fallback. Caught by browser-verify (CDP screenshot at 375x812 dark).
2026-06-19 10:31:59 +00:00 · 2026-06-11 08:07:37 +00:00
parent 4a0cd89acd
commit 4ca73ced8d
1 changed files with 3 additions and 1 deletions
@@ -1789,12 +1789,14 @@
      preview = ch.messageCount + ' messages';
    }
    const abbr = avatarTextForChannel(ch);
+    // abbr may be a Phosphor sprite (HTML) or plain text — detect & emit raw vs escaped.
+    const isHtmlAbbr = typeof abbr === 'string' && abbr.startsWith('<svg');
    const sel = selectedHash === ch.hash ? ' selected' : '';
    return '<button type="button" class="ch-row' + sel + '" data-hash="' + escapeHtml(ch.hash) +
      '" role="option" aria-selected="' + (selectedHash === ch.hash ? 'true' : 'false') +
      '" aria-label="' + escapeHtml(name) + '">' +
      '<div class="ch-avatar ch-row-avatar" style="background:' + color +
-      '" aria-hidden="true">' + escapeHtml(abbr) + '</div>' +
+      '" aria-hidden="true">' + (isHtmlAbbr ? abbr : escapeHtml(abbr)) + '</div>' +
      '<div class="ch-row-body">' +
        '<div class="ch-row-line1">' +
          '<span class="ch-row-name">' + escapeHtml(name) + '</span>' +