From c4b689b698cee2f970e1cec10964c21b59b609e8 Mon Sep 17 00:00:00 2001
From: Friedrich Weber <f.weber@proxmox.com>
Date: Mon, 7 Apr 2025 17:29:59 +0200
Subject: [PATCH] utils: API2Request: ensure that response's htmlStatus is
 html-encoded

`response.htmlStatus` is used to display error messages to the user.
Hence, make sure that HTML in the error message is properly encoded.

`API2Request` has two codepaths setting `response.htmlStatus`:

- in the `success` callback, htmlStatus is assigned the result of
  `extractRequestError`, which already encodes backend-provided
  strings.

- in the `failure` callback, where this patch adds a missing
  htmlEncode.

Signed-off-by: Friedrich Weber <f.weber@proxmox.com>
Reviewed-by: Dominik Csapak <d.csapak@proxmox.com>
---
 src/Utils.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Utils.js b/src/Utils.js
index bf85311..322d0f1 100644
--- a/src/Utils.js
+++ b/src/Utils.js
@@ -516,7 +516,7 @@ utilities: {
 		    } else if (response.status && response.statusText) {
 			msg = gettext('Connection error') + ' ' + response.status + ': ' + response.statusText;
 		    }
-		    response.htmlStatus = msg;
+		    response.htmlStatus = Ext.htmlEncode(msg);
 		    Ext.callback(callbackFn, options.scope, [options, false, response]);
 		    Ext.callback(failureFn, options.scope, [response, options]);
 		},