From 1db40470cc9436c9147937cf8ea5d1309e7f6659 Mon Sep 17 00:00:00 2001
From: Ben West <bewest@gmail.com>
Date: Sat, 1 Oct 2022 12:33:31 -0700
Subject: [PATCH] avoid HTML injection

See if this makes codeql happy.
---
 lib/food/food.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/food/food.js b/lib/food/food.js
index fcffb8c1b63..5a1f618dcc2 100644
--- a/lib/food/food.js
+++ b/lib/food/food.js
@@ -245,11 +245,11 @@ client.init(function loaded () {
           )
           .append($('<span>').addClass('width200px').text(foodlist[i].name))
           .append($('<span>').addClass('width150px').css('text-align','center').append(foodlist[i].portion))
-          .append($('<span>').addClass('width50px').css('text-align','center').append(foodlist[i].unit))
+          .append($('<span>').addClass('width50px').css('text-align','center').text(foodlist[i].unit))
           .append($('<span>').addClass('width100px').css('text-align','center').append(foodlist[i].carbs))
           .append($('<span>').addClass('width100px').css('text-align','center').append(foodlist[i].gi))
           .append($('<span>').addClass('width150px').append(foodlist[i].category))
-          .append($('<span>').addClass('width150px').append(foodlist[i].subcategory))
+          .append($('<span>').addClass('width150px').text(foodlist[i].subcategory))
           .append($('<span>').addClass('width100px').append(foodlist[i].fat))
           .append($('<span>').addClass('width100px').append(foodlist[i].protein))
           .append($('<span>').addClass('width100px').append(foodlist[i].energy))