fix unescaped HTML in the tree node title, closes #1127

src/public/app/services/utils.js

@@ -64,8 +64,19 @@ function assertArguments() {
     }
 }
 
+const entityMap = {
+    '&': '&',
+    '<': '&lt;',
+    '>': '&gt;',
+    '"': '&quot;',
+    "'": '&#39;',
+    '/': '&#x2F;',
+    '`': '&#x60;',
+    '=': '&#x3D;'
+};
+
 function escapeHtml(str) {
-    return $('<div/>').text(str).html();
+    return str.replace(/[&<>"'`=\/]/g, s => entityMap[s]);
 }
 
 async function stopWatch(what, func) {

src/public/app/widgets/note_tree.js

@@ -862,13 +862,14 @@ export default class NoteTreeWidget extends TabAwareWidget {
         const branch = treeCache.getBranch(node.data.branchId);
 
         const isFolder = this.isFolder(note);
+        const title = (branch.prefix ? (branch.prefix + " - ") : "") + note.title;
 
         node.data.isProtected = note.isProtected;
         node.data.noteType = note.type;
         node.folder = isFolder;
         node.icon = this.getIcon(note, isFolder);
         node.extraClasses = this.getExtraClasses(note);
-        node.title = (branch.prefix ? (branch.prefix + " - ") : "") + note.title;
+        node.title = utils.escapeHtml(title);
 
         if (node.isExpanded() !== branch.isExpanded) {
             node.setExpanded(branch.isExpanded, {noEvents: true});