diff --git a/src/trx-client/trx-frontend/trx-frontend-http/assets/web/app.js b/src/trx-client/trx-frontend/trx-frontend-http/assets/web/app.js
index 08c3200..6c0f75d 100644
--- a/src/trx-client/trx-frontend/trx-frontend-http/assets/web/app.js
+++ b/src/trx-client/trx-frontend/trx-frontend-http/assets/web/app.js
@@ -811,16 +811,29 @@ function render(update) {
// Server subtitle: "trx-server vX.Y.Z hosted by CALL"
if (serverSubtitle) {
if (update.server_version && update.server_callsign) {
- serverSubtitle.textContent = `trx-server v${update.server_version} hosted by ${update.server_callsign}`;
+ const safeCallsign = escapeMapHtml(update.server_callsign);
+ const encodedCallsign = encodeURIComponent(update.server_callsign);
+ serverSubtitle.innerHTML =
+ `trx-server v${update.server_version} hosted by ${safeCallsign}`;
} else if (update.server_version) {
serverSubtitle.textContent = `trx-server v${update.server_version}`;
} else if (update.server_callsign) {
- serverSubtitle.textContent = `trx-server hosted by ${update.server_callsign}`;
+ const safeCallsign = escapeMapHtml(update.server_callsign);
+ const encodedCallsign = encodeURIComponent(update.server_callsign);
+ serverSubtitle.innerHTML =
+ `trx-server hosted by ${safeCallsign}`;
}
}
updateRigSubtitle(update.active_rig_id);
if (ownerSubtitle) {
- ownerSubtitle.textContent = `Owner: ${ownerCallsign || "--"}`;
+ if (ownerCallsign) {
+ const safeOwner = escapeMapHtml(ownerCallsign);
+ const encodedOwner = encodeURIComponent(ownerCallsign);
+ ownerSubtitle.innerHTML =
+ `Owner: ${safeOwner}`;
+ } else {
+ ownerSubtitle.textContent = "Owner: --";
+ }
}
setDisabled(false);
if (update.info && update.info.capabilities && Array.isArray(update.info.capabilities.supported_modes)) {