Ensure any html in changelog is escaped before displaying

packages/node_modules/@node-red/editor-client/src/js/red.js

@@ -540,6 +540,8 @@ var RED = (function() {
 
     function showAbout() {
         $.get('red/about', function(data) {
+            // data will be strictly markdown. Any HTML should be escaped.
+            data = RED.utils.sanitize(data);
             var aboutHeader = '<div style="text-align:center;">'+
             '<img width="50px" src="red/images/node-red-icon.svg" />'+
             '</div>';