From e1028c1d7f23cc1e0941b7b37bb6ae5a04364308 Mon Sep 17 00:00:00 2001
From: Isaac Connor <isaac@zoneminder.com>
Date: Fri, 21 Oct 2022 16:21:25 -0400
Subject: [PATCH] Escape <> in log messages to prevent html shenanigans. Fixes
 #3596

---
 web/skins/classic/views/js/log.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/web/skins/classic/views/js/log.js b/web/skins/classic/views/js/log.js
index f74da63fa6..635779400b 100644
--- a/web/skins/classic/views/js/log.js
+++ b/web/skins/classic/views/js/log.js
@@ -50,8 +50,8 @@ function ajaxRequest(params) {
 function processRows(rows) {
   $j.each(rows, function(ndx, row) {
     try {
-      row.Message = decodeURIComponent(row.Message);
-    } catch(e) {
+      row.Message = decodeURIComponent(row.Message).replace(/</g, "&lt;").replace(/>/g, "&gt;");
+    } catch (e) {
       // ignore errors
     }
   });