fix: escape response html

Author: acao

package-lock.json

@@ -242,6 +242,7 @@
     "babel-polyfill": "6.26.0",
     "capitalize": "^2.0.4",
     "dotenv": "^10.0.0",
+    "escape-html": "^1.0.3",
     "graphql": "^15",
     "graphql-config": "~4.1.0",
     "graphql-language-service-server": "^2.7.7",

package.json

@@ -10,7 +10,7 @@ import {
   WebviewPanel,
   WorkspaceFolder,
 } from "vscode"
-
+import escapeHtml from "escape-html"
 import type { ExtractedTemplateLiteral } from "./source-helper"
 import { loadConfig, GraphQLProjectConfig } from "graphql-config"
 import { visit, VariableDefinitionNode } from "graphql"
@@ -199,9 +199,9 @@ export class GraphQLContentProvider implements TextDocumentContentProvider {
 
           const updateCallback = (data: string, operation: string) => {
             if (operation === "subscription") {
-              this.html = `<pre>${data}</pre>` + this.html
+              this.html = `<pre>${escapeHtml(data)}</pre>` + this.html
             } else {
-              this.html += `<pre>${data}</pre>`
+              this.html += `<pre>${escapeHtml(data)}</pre>`
             }
             this.update(this.uri)
             this.updatePanel()