api-viewer: correctly escape html when displaying return types.

Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>

diff --git a/api-viewer/PVEAPI.js b/api-viewer/PVEAPI.js
index 835322fd094f76bfe630b1543e0a7ba51f54fb9b..1c34ef2e850deca859d107e2644bf582cf42fdf5 100644 (file)
--- a/api-viewer/PVEAPI.js
+++ b/api-viewer/PVEAPI.js
@@ -198,12 +198,12 @@ Ext.onReady(function() {
 
                    var returnhtml;
                    if (retinf.items) {
-                       returnhtml = '<pre>items: ' + JSON.stringify(retinf.items, null, 4) + '</pre>';
+                       returnhtml = '<pre>items: ' + Ext.htmlEncode(JSON.stringify(retinf.items, null, 4)) + '</pre>';
                    }
 
                    if (retinf.properties) {
                        returnhtml = returnhtml || '';
-                       returnhtml += '<pre>properties:' + JSON.stringify(retinf.properties, null, 4);
+                       returnhtml += '<pre>properties:' + Ext.htmlEncode(JSON.stringify(retinf.properties, null, 4));
                    }
 
                    sections.push({