From c8ae99e7d7011dcb1074d51077f1a57526eec6d9 Mon Sep 17 00:00:00 2001
From: Jason Rasmussen <jason@rasm.me>
Date: Thu, 2 Apr 2026 15:19:24 -0400
Subject: [PATCH] fix: escape html (#27469)

---
 .../components/asset-viewer/photo-sphere-viewer-adapter.svelte | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/web/src/lib/components/asset-viewer/photo-sphere-viewer-adapter.svelte b/web/src/lib/components/asset-viewer/photo-sphere-viewer-adapter.svelte
index d46b5e0dc1..12c4b45541 100644
--- a/web/src/lib/components/asset-viewer/photo-sphere-viewer-adapter.svelte
+++ b/web/src/lib/components/asset-viewer/photo-sphere-viewer-adapter.svelte
@@ -19,6 +19,7 @@
   import { ResolutionPlugin } from '@photo-sphere-viewer/resolution-plugin';
   import { SettingsPlugin } from '@photo-sphere-viewer/settings-plugin';
   import '@photo-sphere-viewer/settings-plugin/index.css';
+  import { escape } from 'lodash-es';
   import { onDestroy, onMount } from 'svelte';
 
   // Adapted as well as possible from classlist 'border-solid border-white border-3 rounded-lg'
@@ -138,7 +139,7 @@
 
       const fontSize = (1.4 * width) / box.text.length; // fits almost all strings within the box, depends on font family
       const transform = `matrix3d(${matrix.join(',')})`;
-      const content = `<div class="${OCR_TOOLTIP_HTML_CLASS}" style="font-size: ${fontSize}px; width: ${width}px; height: ${height}px; transform: ${transform}; transform-origin: 0 0;">${box.text}</div>`;
+      const content = `<div class="${OCR_TOOLTIP_HTML_CLASS}" style="font-size: ${fontSize}px; width: ${width}px; height: ${height}px; transform: ${transform}; transform-origin: 0 0;">${escape(box.text)}</div>`;
 
       if (updateOnly) {
         markersPlugin.updateMarker({