Resolve CVE-2025-5990

What does this MR do and why?

• Set response JSON to text, not HTML to avoid possible JS injection.
• Resolves #567 (closed)

How to set up and validate locally

See issue for replication steps. Omitting from here due to sensitivity of CVE disclosure.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

• Have you checked this doesn't interfere/conflict/duplicate someone elses work?
• Have you fully tested your changes?
• Have you resolved any lint issues?
• Have you assigned a reviewer?
• Have you applied correct labels?