fix(views): escape error message in ajax view

cubicweb/web/views/ajaxcontroller.py

@@ -66,6 +66,7 @@ from functools import partial
 from datetime import datetime
 
 from logilab.common.registry import yes
+from logilab.mtconverter import xml_escape
 
 from cubicweb import ObjectNotFound, NoSelectableObject, ValidationError
 from cubicweb.appobject import AppObject
@@ -116,7 +117,7 @@ class AjaxController(Controller):
         try:
             func = self._cw.vreg['ajax-func'].select(fname, self._cw)
         except ObjectNotFound:
-            raise RemoteCallFailed('no %s method' % fname,
+            raise RemoteCallFailed('no %s method' % xml_escape(fname),
                                    status=http_client.BAD_REQUEST)
         debug_mode = self._cw.vreg.config.debugmode
         # no <arg> attribute means the callback takes no argument