Comment 2 for bug 342212

A simple, and probably more efficient way to escape the text is to use document.createTextNode(), but you need to append that node as opposed to just setting innerHTML. If you want to replace the entire content, it can be done by calling:

container.set('innerHTML', '');
container.appendChild(document.createTextNode(a_string_containing_html));

However, I don't think that the FormOverlay.showError() method is the right place to escape HTML, since it limits the ability of pages using that widget to format the error message. Since most errors messages containing potentially bogus HTML will come from the REST API, we could have the javascript REST client escape the response.responseText.