From bf872defab175f1945c5e8859f858bc67118203a Mon Sep 17 00:00:00 2001
From: Theo Arends <11044339+arendst@users.noreply.github.com>
Date: Thu, 21 Nov 2024 16:58:45 +0100
Subject: [PATCH] Fix use HTML escape on File System Edit File load (#22492)

---
 CHANGELOG.md                                       | 1 +
 RELEASENOTES.md                                    | 1 +
 tasmota/tasmota_xdrv_driver/xdrv_50_filesystem.ino | 2 +-
 3 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5563006e8..9082e57f0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -18,6 +18,7 @@ All notable changes to this project will be documented in this file.
 ### Fixed
 - ESP32 upgrade by file upload response based on file size (#22500)
 - Wrong GUI Module and Template drop down list indexes regression
+- Use HTML escape on File System Edit File load (#22492)
 
 ### Removed
 
diff --git a/RELEASENOTES.md b/RELEASENOTES.md
index c1707f58e..98a599ce3 100644
--- a/RELEASENOTES.md
+++ b/RELEASENOTES.md
@@ -166,6 +166,7 @@ The latter links can be used for OTA upgrades too like ``OtaUrl https://ota.tasm
 
 ### Fixed
 - FUNC_COMMAND linked list command buffer corruption by shutter driver
+- Use HTML escape on File System Edit File load [#22492](https://github.com/arendst/Tasmota/issues/22492)
 - Prevent crashing when `display.ini` is missing end `#` [#22471](https://github.com/arendst/Tasmota/issues/22471)
 - Alexa Hue with multiple devices [#22383](https://github.com/arendst/Tasmota/issues/22383)
 - Mitsubishi Electric HVAC Standby Stage for MiElHVAC [#22430](https://github.com/arendst/Tasmota/issues/22430)
diff --git a/tasmota/tasmota_xdrv_driver/xdrv_50_filesystem.ino b/tasmota/tasmota_xdrv_driver/xdrv_50_filesystem.ino
index 27c97ab85..84203d405 100644
--- a/tasmota/tasmota_xdrv_driver/xdrv_50_filesystem.ino
+++ b/tasmota/tasmota_xdrv_driver/xdrv_50_filesystem.ino
@@ -1603,7 +1603,7 @@ void UfsEditor(void) {
         AddLog(LOG_LEVEL_DEBUG_MORE, PSTR("UFS: UfsEditor: read=%d"), l);
         if (l < 0) { break; }
         buf[l] = '\0';
-        WSContentSend_P(PSTR("%s"), buf);
+        WSContentSend_P(PSTR("%s"), HtmlEscape((char*)buf).c_str());
         filelen -= l;
       }
       fp.close();