Zulip Desktop before 5.4.3 allows XSS because string escaping is mishandled during composition of the HTML for the user interface.