avoid HTML injection

See if this makes codeql happy.
stevebell117 · Oct 1, 2022 · 1db4047 · 1db4047
1 parent 2e1ee38
commit 1db4047
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/lib/food/food.js b/lib/food/food.js
@@ -245,11 +245,11 @@ client.init(function loaded () {
           )
           .append($('<span>').addClass('width200px').text(foodlist[i].name))
           .append($('<span>').addClass('width150px').css('text-align','center').append(foodlist[i].portion))
-          .append($('<span>').addClass('width50px').css('text-align','center').append(foodlist[i].unit))
+          .append($('<span>').addClass('width50px').css('text-align','center').text(foodlist[i].unit))
           .append($('<span>').addClass('width100px').css('text-align','center').append(foodlist[i].carbs))
           .append($('<span>').addClass('width100px').css('text-align','center').append(foodlist[i].gi))
           .append($('<span>').addClass('width150px').append(foodlist[i].category))
-          .append($('<span>').addClass('width150px').append(foodlist[i].subcategory))
+          .append($('<span>').addClass('width150px').text(foodlist[i].subcategory))
           .append($('<span>').addClass('width100px').append(foodlist[i].fat))
           .append($('<span>').addClass('width100px').append(foodlist[i].protein))
           .append($('<span>').addClass('width100px').append(foodlist[i].energy))