Fixed an XSS vulnerability issue in the Query Tool and View/Edit Data (CVE-2025-2946). #8602

Author: akshay-joshi

docs/en_US/release_notes_9_2.rst

@@ -49,3 +49,4 @@ Bug fixes
   | `Issue #8546 <https://github.com/pgadmin-org/pgadmin4/issues/8546>`_ -  Fixed an issue where updating the grantee was not correctly applying the privileges.
   | `Issue #8577 <https://github.com/pgadmin-org/pgadmin4/issues/8577>`_ -  Fixed an issue where the upgrade_check API returned an unexpected keyword argument 'cafile' due to changes in the urllib package supporting Python v3.13.
   | `Issue #8597 <https://github.com/pgadmin-org/pgadmin4/issues/8597>`_ -  Fixed an issue where delete/rename was done on wrong file after sorting in Storage Manager.
+  | `Issue #8602 <https://github.com/pgadmin-org/pgadmin4/issues/8602>`_ -  Fixed an XSS vulnerability issue in the Query Tool and View/Edit Data (CVE-2025-2946).

web/pgadmin/static/js/utils.js

@@ -602,7 +602,7 @@ export function measureText(text, font) {
     measureText.ele.style.cssText = `position: absolute; visibility: hidden; white-space: nowrap; font: ${font}`;
     document.body.appendChild(measureText.ele);
   }
-  measureText.ele.innerHTML = text;
+  measureText.ele.textContent = text;
   const dim = measureText.ele.getBoundingClientRect();
   return {width: dim.width, height: dim.height};
 }