diff --git a/widget/discrepancy-note/dn-widget.js b/widget/discrepancy-note/dn-widget.js
index 9854020a..fd9d2d31 100644
--- a/widget/discrepancy-note/dn-widget.js
+++ b/widget/discrepancy-note/dn-widget.js
@@ -1585,6 +1585,20 @@ class Comment extends Widget {
}
}
+ _encodeHtml(str) {
+ return str.replace(
+ /[&<>'"]/g,
+ (tag) =>
+ ({
+ '&': '&',
+ '<': '<',
+ '>': '>',
+ "'": ''',
+ '"': '"',
+ }[tag])
+ );
+ }
+
_getHistoryRow(item, options = {}) {
const types = {
comment: '',
@@ -1638,7 +1652,9 @@ class Comment extends Widget {
types[item.type]
}
- ${msg}
+ ${this._encodeHtml(
+ msg
+ )}
${
assignee