From 7570936c75c0d387c233658bfe17e3388d5cb277 Mon Sep 17 00:00:00 2001
From: botchedchuckle <chuckles.and.botch@gmail.com>
Date: Fri, 13 Mar 2026 01:29:04 -0700
Subject: [PATCH] Fix: Escape HTML in Prompt/NegativePrompt for MetadataPanel

* Fixed a bug where `prompt` and `negativePrompt` were both being
  added directly to HTML without escaping them. Given prompts are
  allowed to have HTML characters (e.g. `<lora:something:0.75>`), by
  forgetting to escape them some tags were missing in the metadata
  views for example images using those characters.
---
 static/js/components/shared/showcase/MetadataPanel.js | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/static/js/components/shared/showcase/MetadataPanel.js b/static/js/components/shared/showcase/MetadataPanel.js
index f34d9b03..f968348a 100644
--- a/static/js/components/shared/showcase/MetadataPanel.js
+++ b/static/js/components/shared/showcase/MetadataPanel.js
@@ -2,6 +2,7 @@
  * MetadataPanel.js
  * Generates metadata panels for showcase media items
  */
+import { escapeHtml } from '../utils.js';
 
 /**
  * Generate metadata panel HTML
@@ -49,6 +50,7 @@ export function generateMetadataPanel(hasParams, hasPrompts, prompt, negativePro
     }
     
     if (prompt) {
+        prompt = escapeHtml(prompt);
         content += `
             <div class="metadata-row prompt-row">
                 <span class="metadata-label">Prompt:</span>
@@ -64,6 +66,7 @@ export function generateMetadataPanel(hasParams, hasPrompts, prompt, negativePro
     }
     
     if (negativePrompt) {
+        negativePrompt = escapeHtml(negativePrompt);
         content += `
             <div class="metadata-row prompt-row">
                 <span class="metadata-label">Negative Prompt:</span>
@@ -80,4 +83,4 @@ export function generateMetadataPanel(hasParams, hasPrompts, prompt, negativePro
     
     content += '</div></div>';
     return content;
-}
\ No newline at end of file
+}