diff --git a/src/core/operations/ToTable.mjs b/src/core/operations/ToTable.mjs index 28cd9bfe09..6d10b34023 100644 --- a/src/core/operations/ToTable.mjs +++ b/src/core/operations/ToTable.mjs @@ -57,7 +57,7 @@ class ToTable extends Operation { const [cellDelims, rowDelims, firstRowHeader, format] = args; // Process the input into a nested array of elements. - const tableData = Utils.parseCSV(input, cellDelims.split(""), rowDelims.split("")); + const tableData = Utils.parseCSV(Utils.escapeHtml(input), cellDelims.split(""), rowDelims.split("")); if (!tableData.length) return ""; diff --git a/src/web/OutputWaiter.mjs b/src/web/OutputWaiter.mjs index 28deaffade..2d93507c43 100755 --- a/src/web/OutputWaiter.mjs +++ b/src/web/OutputWaiter.mjs @@ -478,7 +478,7 @@ class OutputWaiter { */ showMagicButton(opSequence, result, recipeConfig) { const magicButton = document.getElementById("magic"); - magicButton.setAttribute("data-original-title", `${opSequence} will produce "${Utils.truncate(result, 30)}"`); + magicButton.setAttribute("data-original-title", `${opSequence} will produce "${Utils.escapeHtml(Utils.truncate(result), 30)}"`); magicButton.setAttribute("data-recipe", JSON.stringify(recipeConfig), null, ""); magicButton.classList.remove("hidden"); }