From 3d6889662515acea38845bb1f142fab214aa1bb8 Mon Sep 17 00:00:00 2001
From: Isaac Connor <isaac@zoneminder.com>
Date: Fri, 21 Oct 2022 16:21:25 -0400
Subject: [PATCH] Escape <> in log messages to prevent html shenanigans. Fixes
 #3596

---
 web/skins/classic/views/js/log.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/web/skins/classic/views/js/log.js b/web/skins/classic/views/js/log.js
index 3188ca37f..635779400 100644
--- a/web/skins/classic/views/js/log.js
+++ b/web/skins/classic/views/js/log.js
@@ -50,7 +50,7 @@ function ajaxRequest(params) {
 function processRows(rows) {
   $j.each(rows, function(ndx, row) {
     try {
-      row.Message = decodeURIComponent(row.Message);
+      row.Message = decodeURIComponent(row.Message).replace(/</g, "&lt;").replace(/>/g, "&gt;");
     } catch (e) {
       // ignore errors
     }