Doesn't escape HTML entities #13
Description
jsonTree.js will print out HTML content to the page as is rather than escaping the HTML entities. This results in the HTML being inserted into the DOM and presented, and allows some types of custom Javascript execution. This constitutes an XSS vulnerability for any pages that render user-provided JSON using this library.
For example, on your demo page at http://summerstyle.github.io/jsonTreeViewer/ - provide the input {"test":"<img src='x' onerror='alert(1)'>"} and observe the alert.