From cf93d1da5099080c793f0699eac359f646f887d1 Mon Sep 17 00:00:00 2001
From: Thomas Lamprecht <t.lamprecht@proxmox.com>
Date: Tue, 31 Jan 2023 15:41:39 +0100
Subject: [PATCH] utils: always html-encode response message

while this is something that only the user that made the request will
see, and for most people the possibility of "hacking" themselves is
rather redundant, it is still not nice to have this possible in
general; as even if it's highly unlikely that there ever can be an
error triggered to another user via API2 request handling, hardening
against it is simply to cheap to not do it.

Reported-by: Marcel Fromkorth <marcel.fromkorth@8com.de>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
 src/Utils.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Utils.js b/src/Utils.js
index 5adb8a7..84d4b56 100644
--- a/src/Utils.js
+++ b/src/Utils.js
@@ -396,7 +396,7 @@ utilities: {
 	if (!result.success) {
 	    msg = gettext("Unknown error");
 	    if (result.message) {
-		msg = result.message;
+		msg = Ext.htmlEncode(result.message);
 		if (result.status) {
 		    msg += ` (${result.status})`;
 		}