You're copying user input directly into the HTML document. You need to ensure that it's properly encoded first.
Since you're using jQuery, you can use
the text
method[
^] instead of
the html
method[
^] to update the target element:
$("#someElement").text(untrustedUserInput);