Fixed sanitization of user invited emails for notification message (#1060) (1.x backport)

no issue

- Escaped email ids string sent to notification message during blog setup

Credits: Antony Garand

app/controllers/setup/three.js

@@ -1,6 +1,7 @@
 /* eslint-disable ghost/ember/alias-model-in-controller */
 import Controller, {inject as controller} from '@ember/controller';
 import DS from 'ember-data';
+import Ember from 'ember';
 import RSVP from 'rsvp';
 import validator from 'npm:validator';
 import {alias} from '@ember/object/computed';
@@ -228,7 +229,7 @@ export default Controller.extend({
         if (erroredEmails.length > 0) {
             invitationsString = erroredEmails.length > 1 ? ' invitations: ' : ' invitation: ';
             message = `Failed to send ${erroredEmails.length} ${invitationsString}`;
-            message += erroredEmails.join(', ');
+            message += Ember.Handlebars.Utils.escapeExpression(erroredEmails.join(', '));
             message += '. Please check your email configuration, see <a href=\'https://docs.ghost.org/v1.0.0/docs/mail-config\' target=\'_blank\'>https://docs.ghost.org/v1.0.0/docs/mail-config</a> for instructions';
 
             message = htmlSafe(message);