diff --git a/api/routes.py b/api/routes.py
index 6cc1cf5..e7b6ce6 100644
--- a/api/routes.py
+++ b/api/routes.py
@@ -166,8 +166,8 @@ def handle_get(handler, parsed) -> bool:
.replace('{{LOGIN_SUBTITLE}}', _html.escape(_login_strings['subtitle']))
.replace('{{LOGIN_PLACEHOLDER}}', _html.escape(_login_strings['placeholder']))
.replace('{{LOGIN_BTN}}', _html.escape(_login_strings['btn']))
- .replace('{{LOGIN_INVALID_PW}}', _login_strings['invalid_pw']) # JS string, escape carefully
- .replace('{{LOGIN_CONN_FAILED}}', _login_strings['conn_failed'])
+ .replace('{{LOGIN_INVALID_PW}}', _login_strings['invalid_pw'].replace('\\','\\\\').replace("'","\\'"))
+ .replace('{{LOGIN_CONN_FAILED}}', _login_strings['conn_failed'].replace('\\','\\\\').replace("'","\\'"))
)
return t(handler, _page, content_type='text/html; charset=utf-8')
diff --git a/static/ui.js b/static/ui.js
index a3ea646..9f2b76e 100644
--- a/static/ui.js
+++ b/static/ui.js
@@ -539,7 +539,7 @@ function renderMessages(){
const tsVal=m._ts||m.timestamp;
const tsTitle=tsVal?new Date(tsVal*1000).toLocaleString():'';
const _bn=window._botName||'Hermes';
- row.innerHTML=`${isUser?'Y':esc(_bn.charAt(0).toUpperCase())}
${isUser?t('you'):esc(_bn)}${tsTitle?`
${new Date(tsVal*1000).toLocaleTimeString([],{hour:'2-digit',minute:'2-digit'})}`:''}
${editBtn}${retryBtn}${bodyHtml}
`;
+ row.innerHTML=`${isUser?'Y':esc(_bn.charAt(0).toUpperCase())}
${isUser?t('you'):esc(_bn)}${tsTitle?`
${new Date(tsVal*1000).toLocaleTimeString([],{hour:'2-digit',minute:'2-digit'})}`:''}
${editBtn}${retryBtn}${bodyHtml}
`;
row.dataset.rawText = String(content).trim();
inner.appendChild(row);
}