From 839b7d8c89aeec40853334291a2c4a644700b7ec Mon Sep 17 00:00:00 2001
From: Friedrich Weber <f.weber@proxmox.com>
Date: Mon, 7 Apr 2025 17:30:02 +0200
Subject: [PATCH] ui: set error mask: ensure that message is html-encoded

to avoid interpreting HTML in the message when displaying the mask.

Signed-off-by: Friedrich Weber <f.weber@proxmox.com>
Reviewed-by: Dominik Csapak <d.csapak@proxmox.com>
---
 www/tape/BackupOverview.js | 2 +-
 www/tape/ChangerStatus.js  | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/www/tape/BackupOverview.js b/www/tape/BackupOverview.js
index f8e9dfd7..8f092db0 100644
--- a/www/tape/BackupOverview.js
+++ b/www/tape/BackupOverview.js
@@ -116,7 +116,7 @@ Ext.define('PBS.TapeManagement.BackupOverview', {
 
 		Proxmox.Utils.setErrorMask(view, false);
 	    } catch (error) {
-		Proxmox.Utils.setErrorMask(view, error.toString());
+		Proxmox.Utils.setErrorMask(view, Ext.htmlEncode(error.toString()));
 	    }
 	},
 
diff --git a/www/tape/ChangerStatus.js b/www/tape/ChangerStatus.js
index e18af90e..53e40857 100644
--- a/www/tape/ChangerStatus.js
+++ b/www/tape/ChangerStatus.js
@@ -597,7 +597,8 @@ Ext.define('PBS.TapeManagement.ChangerStatus', {
 		if (!use_cache) {
 		    Proxmox.Utils.setErrorMask(view);
 		}
-		Proxmox.Utils.setErrorMask(me.lookup('content'), response.result.message.toString());
+		let msg = Ext.htmlEncode(response.result.message.toString());
+		Proxmox.Utils.setErrorMask(me.lookup('content'), msg);
 	    }
 
 	    me.scheduleReload(5000);