Stanza attribute escaping looks like a foot gun

[Zash]

https://github.com/matrix-org/matrix-bifrost/blob/f2f28bb7f7b069b8491c822e54ad0eeab6d8d114/src/xmppjs/Stanzas.ts#L23-L27

This, escaping fields in a setter instead of during serialization, scares me.

[Half-Shot]

Hmm, suspect this came about as a result of dodgy matrix displaynames. This should definitely be applied at the point of constructing a JID rather than setting it on the Stanza.

[Zash]

I see now some fields are encoded when the XML strings are composed, while others, like from as show above, are not. Being consistent with these things seems like the safest thing. Probably too easy to make mistakes otherwise, opening for injection attacks or having things accidentally double escaped.