utils: always html-encode response message

while this is something that only the user that made the request will
see, and for most people the possibility of "hacking" themselves is
rather redundant, it is still not nice to have this possible in
general; as even if it's highly unlikely that there ever can be an
error triggered to another user via API2 request handling, hardening
against it is simply to cheap to not do it.

Reported-by: Marcel Fromkorth <marcel.fromkorth@8com.de>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>

diff --git a/src/Utils.js b/src/Utils.js
index 5adb8a71d78af7f1457fec320c78cb80e24d7c24..84d4b56c2f0a60ee9a7b9a6bbe03d30de1fb8fa5 100644 (file)
--- a/src/Utils.js
+++ b/src/Utils.js
@@ -396,7 +396,7 @@ utilities: {
        if (!result.success) {
            msg = gettext("Unknown error");
            if (result.message) {
-               msg = result.message;
+               msg = Ext.htmlEncode(result.message);
                if (result.status) {
                    msg += ` (${result.status})`;
                }