From e339ab34a4ecff55bd87eae19a0bda71ef38030f Mon Sep 17 00:00:00 2001
From: Michael Marchetti <mike@rstudio.com>
Date: Thu, 22 Aug 2024 09:58:59 -0400
Subject: [PATCH] escape errors rendered by InternalError

---
 internal/services/api/api_helpers.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/internal/services/api/api_helpers.go b/internal/services/api/api_helpers.go
index 9846a001b..704e32ab9 100644
--- a/internal/services/api/api_helpers.go
+++ b/internal/services/api/api_helpers.go
@@ -5,6 +5,7 @@ package api
 import (
 	"errors"
 	"fmt"
+	"html"
 	"net/http"
 
 	"github.com/posit-dev/publisher/internal/logging"
@@ -13,7 +14,8 @@ import (
 
 func InternalError(w http.ResponseWriter, req *http.Request, log logging.Logger, err error) {
 	status := http.StatusInternalServerError
-	text := err.Error()
+	text := html.EscapeString(err.Error())
+	w.Header().Add("Content-Type", "text/plain")
 	w.WriteHeader(status)
 	w.Write([]byte(text))
 	log.Error(text, "method", req.Method, "url", req.URL.String(), "error", err)