diff --git a/nodes/core/core/20-inject.html b/nodes/core/core/20-inject.html
index 3834232ee..e70517e30 100644
--- a/nodes/core/core/20-inject.html
+++ b/nodes/core/core/20-inject.html
@@ -379,7 +379,7 @@
},
button: {
onclick: function() {
- var label = this.name||this.payload;
+ var label = (this.name||this.payload).replace(/&/g,"&").replace(//g,">");
d3.xhr("inject/"+this.id).post(function(err,resp) {
if (err) {
if (err.status == 404) {
diff --git a/nodes/core/core/58-debug.html b/nodes/core/core/58-debug.html
index 58fe19374..dc611c8b1 100644
--- a/nodes/core/core/58-debug.html
+++ b/nodes/core/core/58-debug.html
@@ -156,9 +156,9 @@
});
RED.view.redraw();
};
- var name = (o.name?o.name:o.id).toString().replace(//g,">");
- var topic = (o.topic||"").toString().replace(//g,">");
- var payload = (o.msg||"").toString().replace(//g,">");
+ var name = (o.name?o.name:o.id).toString().replace(/&/g,"&").replace(//g,">");
+ var topic = (o.topic||"").toString().replace(/&/g,"&").replace(//g,">");
+ var payload = (o.msg||"").toString().replace(/&/g,"&").replace(//g,">");
msg.className = 'debug-message'+(o.level?(' debug-message-level-'+o.level):'')
msg.innerHTML = ''+getTimestamp()+''+
'['+name+']'+
diff --git a/public/red/ui/tab-info.js b/public/red/ui/tab-info.js
index 9693dce2f..c2ef60d9c 100644
--- a/public/red/ui/tab-info.js
+++ b/public/red/ui/tab-info.js
@@ -53,6 +53,7 @@ RED.sidebar.info = function() {
if (val.length > 30) {
val = val.substring(0,30)+" ...";
}
+ val = val.replace(/&/g,"&").replace(//g,">");
} else if (type === "number") {
val = val.toString();
} else if ($.isArray(val)) {