From 2611d905dea2d666443c1966e234cb0f9fd97c95 Mon Sep 17 00:00:00 2001
From: Friedrich Weber <f.weber@proxmox.com>
Date: Mon, 31 Mar 2025 11:20:22 +0200
Subject: [PATCH] safe destroy: htmlEncode confirmation message

to avoid interpreting HTML.

Signed-off-by: Friedrich Weber <f.weber@proxmox.com>
---
 src/window/SafeDestroy.js | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/window/SafeDestroy.js b/src/window/SafeDestroy.js
index c058465..fad7897 100644
--- a/src/window/SafeDestroy.js
+++ b/src/window/SafeDestroy.js
@@ -189,13 +189,13 @@ Ext.define('Proxmox.window.SafeDestroy', {
 	let taskName = me.getTaskName();
 	if (Ext.isDefined(taskName)) {
 	    me.lookupReference('messageCmp').setHtml(
-		Proxmox.Utils.format_task_description(taskName, itemId),
+		Ext.htmlEncode(Proxmox.Utils.format_task_description(taskName, itemId)),
 	    );
 	} else {
 	    throw "no task name specified";
 	}
 
-	me.lookupReference('confirmField')
-	    .setFieldLabel(`${gettext('Please enter the ID to confirm')} (${itemId})`);
+	let label = `${gettext('Please enter the ID to confirm')} (${itemId})`;
+	me.lookupReference('confirmField').setFieldLabel(Ext.htmlEncode(label));
     },
 });