title in fancytree needs to be escaped for HTML special characters

public/javascripts/note_tree.js

@@ -186,13 +186,15 @@ const noteTree = (function() {
             const noteTreeId = getNoteTreeId(parentNoteId, noteId);
             const noteTree = notesTreeMap[noteTreeId];
 
+            const title = (noteTree.prefix ? (noteTree.prefix + " - ") : "") + noteIdToTitle[noteTree.note_id];
+
             const node = {
                 note_id: noteTree.note_id,
                 parent_note_id: noteTree.parent_note_id,
                 note_tree_id: noteTree.note_tree_id,
                 is_protected: noteTree.is_protected,
                 prefix: noteTree.prefix,
-                title: (noteTree.prefix ? (noteTree.prefix + " - ") : "") + noteIdToTitle[noteTree.note_id],
+                title: escapeHtml(title),
                 extraClasses: getExtraClasses(noteTree),
                 refKey: noteTree.note_id,
                 expanded: noteTree.is_expanded

public/javascripts/tree_utils.js

@@ -37,7 +37,7 @@ const treeUtils = (function() {
 
         const title = (prefix ? (prefix + " - ") : "") + noteTitle;
 
-        node.setTitle(title);
+        node.setTitle(escapeHtml(title));
     }
 
     return {

public/javascripts/utils.js

@@ -93,4 +93,8 @@ function isTopLevelNode(node) {
 
 function isRootNode(node) {
     return node.key === "root_1";
+}
+
+function escapeHtml(str) {
+    return $('<div/>').text(str).html();
 }