inject text instead of HTML name

Avoid HTML injection called out by CODEQL.
stevebell117 · Oct 1, 2022 · 2e1ee38 · 2e1ee38
1 parent 8706658
commit 2e1ee38
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/lib/food/food.js b/lib/food/food.js
@@ -243,7 +243,7 @@ client.init(function loaded () {
             .append($('<img>').attr('title',translate('Edit record')).attr('src',icon_edit).attr('index',i).attr('class','fe_editimg'))
             .append($('<img>').attr('title',translate('Delete record')).attr('src',icon_remove).attr('index',i).attr('class','fe_removeimg'))
           )
-          .append($('<span>').addClass('width200px').append(foodlist[i].name))
+          .append($('<span>').addClass('width200px').text(foodlist[i].name))
           .append($('<span>').addClass('width150px').css('text-align','center').append(foodlist[i].portion))
           .append($('<span>').addClass('width50px').css('text-align','center').append(foodlist[i].unit))
           .append($('<span>').addClass('width100px').css('text-align','center').append(foodlist[i].carbs))