Escape html chars in Inject/Debug and Info pane

nodes/core/core/20-inject.html

@@ -379,7 +379,7 @@
         },
         button: {
             onclick: function() {
-                var label = this.name||this.payload;
+                var label = (this.name||this.payload).replace(/&/g,"&amp;").replace(/</g,"&lt;").replace(/>/g,"&gt;");
                 d3.xhr("inject/"+this.id).post(function(err,resp) {
                         if (err) {
                             if (err.status == 404) {

nodes/core/core/58-debug.html

@@ -156,9 +156,9 @@
                     });
                     RED.view.redraw();
                 };
-                var name = (o.name?o.name:o.id).toString().replace(/</g,"&lt;").replace(/>/g,"&gt;");
-                var topic = (o.topic||"").toString().replace(/</g,"&lt;").replace(/>/g,"&gt;");
-                var payload = (o.msg||"").toString().replace(/</g,"&lt;").replace(/>/g,"&gt;");
+                var name = (o.name?o.name:o.id).toString().replace(/&/g,"&amp;").replace(/</g,"&lt;").replace(/>/g,"&gt;");
+                var topic = (o.topic||"").toString().replace(/&/g,"&amp;").replace(/</g,"&lt;").replace(/>/g,"&gt;");
+                var payload = (o.msg||"").toString().replace(/&/g,"&amp;").replace(/</g,"&lt;").replace(/>/g,"&gt;");
                 msg.className = 'debug-message'+(o.level?(' debug-message-level-'+o.level):'')
                 msg.innerHTML = '<span class="debug-message-date">'+getTimestamp()+'</span>'+
                                 '<span class="debug-message-name">['+name+']</span>'+

public/red/ui/tab-info.js

@@ -53,6 +53,7 @@ RED.sidebar.info = function() {
                 if (val.length > 30) { 
                     val = val.substring(0,30)+" ...";
                 }
+                val = val.replace(/&/g,"&amp;").replace(/</g,"&lt;").replace(/>/g,"&gt;");
             } else if (type === "number") {
                 val = val.toString();
             } else if ($.isArray(val)) {