escape html tags in log output

While normally this isn't enough to prevent XSS, this output will only
appear in the body of a <pre>, and anyway the scripts are semi-privileged

src/resources/js/app.js

@@ -430,7 +430,7 @@ const Run = function() {
   };
   var firstLog = false;
   var logHandler = function(vm, d) {
-    state.log += d;
+    state.log += d.replace(/</g,'&lt;').replace(/>/g,'&gt;');
     vm.$forceUpdate();
     if (!firstLog) {
       firstLog = true;