From ee2c30e83f74d204c3fd9ea10fa6dec92091cf4d Mon Sep 17 00:00:00 2001
From: dhmjhu <166628128+dhmjhu@users.noreply.github.com>
Date: Tue, 2 Jul 2024 16:34:46 -0400
Subject: [PATCH] escape HTML tags in error messages from server

---
 .../core/components/pages/guided-mode/data/GuidedSourceData.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/electron/frontend/core/components/pages/guided-mode/data/GuidedSourceData.js b/src/electron/frontend/core/components/pages/guided-mode/data/GuidedSourceData.js
index e989e6652..e95c0dc94 100644
--- a/src/electron/frontend/core/components/pages/guided-mode/data/GuidedSourceData.js
+++ b/src/electron/frontend/core/components/pages/guided-mode/data/GuidedSourceData.js
@@ -121,13 +121,14 @@ export class GuidedSourceDataPage extends ManagedPage {
 
                     if (result.message) {
                         const [type, ...splitText] = result.message.split(":");
+                        const escapedType = type.replaceAll("<", "&lt").replaceAll(">", "&gt");
                         const text = splitText.length
                             ? splitText.join(":").replaceAll("<", "&lt").replaceAll(">", "&gt")
                             : result.traceback
                               ? `<small><pre>${result.traceback.trim().split("\n").slice(-2)[0].trim()}</pre></small>`
                               : "";
 
-                        const message = `<h4 style="margin: 0;">Request Failed</h4><small>${type}</small><p>${text}</p>`;
+                        const message = `<h4 style="margin: 0;">Request Failed</h4><small>${escapedType}</small><p>${text}</p>`;
                         this.notify(message, "error");
                         throw result;
                     }