On most pages, like these:
When the username is something like "Joe User <firstname.lastname@example.org>", it is incorrectly escaped in the HTML as:
Then on the changes page for a specific build:
A username like the above wouldn't be escaped at all, so would be "Joe User <email@example.com>" in the HTML.
Of course the proper way to escape this would be:
We are using the mercurial plugin with rhodecode as the mercurial server, and I'm not sure if it's the job of the SCM plugin to escape these or whatever outputs the HTML, though I would think the latter.