In a lot of places, we call:
<%= HtmlUtil.escape(PortalUtil.getUserName(curArticle.getUserId(), curArticle.getUserName())) %>
The problem is, what if curArticle is an escaped model? If the user with curArticle.getUserId() no longer exists, we'll return curArticle.getUserName() which is escaped, and we'll escape things again.
One solution would be to remove HtmlUtil.escape, but that breaks too because if the user is not deleted, then we'll fetch the user from the db, and return an unescaped user name.
So the proper fix is to create a new method called PortalUtil.getUserName(auditedModel). It'll take in a auditedModel and return the user name in an escaped fashion if the input auditedModel was escaped, and return an unescaped user name if the audited model was not escaped.