diff --git a/source/components/content/viewer/message.mjs b/source/components/content/viewer/message.mjs
index 7e19dd4fbdb54e0aaa8b5ec01aa9d4cc7f172482..3b518179fc09bf381ba7e998b6c1c372bd0cf4f0 100644
--- a/source/components/content/viewer/message.mjs
+++ b/source/components/content/viewer/message.mjs
@@ -193,6 +193,15 @@ class MessageContent extends CustomElement {
this.setOption("message.subject", message?.subject || null);
this.setOption("message.messageID", message?.messageID || null);
+ function escapeHTML(str) {
+ return str
+ .replace(/&/g, "&")
+ .replace(/</g, "<")
+ .replace(/>/g, ">")
+ .replace(/"/g, """)
+ .replace(/'/g, "'");
+ }
+
const headers = [];
for (const [key, value] of Object.entries(message?.headers || {})) {
if (key && value) {
@@ -200,7 +209,8 @@ class MessageContent extends CustomElement {
if (isArray(valueString)) {
valueString = "<ul>";
for (const item of value) {
- valueString += `<li>${item}</li>`;
+ const escapedItem = escapeHTML(item);
+ valueString += `<li>${escapedItem}</li>`;
}
valueString += "</ul>";
}