return an HTML response instead of trying to write and execute a
script that can execute arbitrary commands on the host system. There
is more work we should do (or just use client-side rendering) to
prevent hackers from running really bad stuff on the server.
Thanks to @xiaom0-0 for the find and fix.