Ensure strings are properly encoded in the Query History. Fixes #4349

web/pgadmin/static/js/sqleditor/history/query_history_details.js

@@ -117,7 +117,7 @@ export default class QueryHistoryDetails {
   updateMessageContent() {
     this.$message_content
       .empty()
-      .append(`<pre class='content-value'>${this.entry.message}</pre>`);
+      .append(`<pre class='content-value'>${_.escape(this.entry.message)}</pre>`);
   }
 
   updateErrorMessage() {
@@ -125,10 +125,8 @@ export default class QueryHistoryDetails {
       this.$errMsgBlock.removeClass('d-none');
       this.$errMsgBlock.empty().append(
         `<div class='history-error-text'>
-                    <span>Error Message</span> ${this.parseErrorMessage(
-    this.entry.message
-  )}
-                </div>`
+            <span>Error Message</span>${_.escape(this.parseErrorMessage(this.entry.message))}
+        </div>`
       );
     } else {
       this.$errMsgBlock.addClass('d-none');

web/pgadmin/static/js/sqleditor/history/query_history_entries.js

@@ -1,5 +1,6 @@
 import moment from 'moment';
 import $ from 'jquery';
+import _ from 'underscore';
 
 const ARROWUP = 38;
 const ARROWDOWN = 40;
@@ -68,7 +69,7 @@ export class QueryHistoryItem {
     this.$el = $(
       `<li class='list-item' tabindex='0' data-key='${this.dataKey()}'>
           <div class='entry ${this.entry.status ? '' : 'error'}'>
-              <div class='query'>${this.entry.query}</div>
+              <div class='query'>${_.escape(this.entry.query)}</div>
               <div class='other-info'>
               <div class='timestamp'>${this.formatDate(this.entry.start_time)}</div>
               </div>