HTML injection in import progress stream (admin self-XSS via crafted ZIP)

The data-import endpoint streamed HTML progress lines and embedded raw error messages from the unzipper / JSON parser. A malicious ZIP could surface attacker-controlled HTML/JS into the importing admin's browser.

The data-import endpoint streamed HTML progress lines and embedded raw error messages from the unzipper and JSON parser without escaping, letting a malicious ZIP surface attacker-controlled HTML and JavaScript into the importing admin's browser.