[VVP] Properly escape error messages in HTML output

Issue-ID: VVP-159

Change-Id: I741e5abbc80fbcbbb5d7c0332e13217305532bfd
Signed-off-by: Lovett, Trevor <trevor.lovett@att.com>

2 files changed, 8 insertions, 3 deletions

diff --git a/ice_validator/tests/conftest.py b/ice_validator/tests/conftest.py
index b09a8aa..e3c21e6 100644
--- a/ice_validator/tests/conftest.py
+++ b/ice_validator/tests/conftest.py
@@ -43,6 +43,10 @@ import json
 import os
 import re
 import time
+try:
+    from html import escape
+except ImportError:
+    from cgi import escape
 from collections import defaultdict
 
 import traceback
@@ -745,8 +749,9 @@ def generate_html_report(outpath, categories, template_path, failures):
             {
                 "file_links": make_href(failure.files, template_path),
                 "test_id": failure.test_id,
-                "error_message": failure.error_message.replace("\n", "<br/><br/>"),
-                "raw_output": failure.raw_output,
+                "error_message": escape(failure.error_message).replace("\n",
+                                                                       "<br/><br/>"),
+                "raw_output": escape(failure.raw_output),
                 "requirements": docutils.core.publish_parts(
                     writer_name="html", source=failure.requirement_text(reqs)
                 )["body"],
diff --git a/ice_validator/tests/test_non_server_name.py b/ice_validator/tests/test_non_server_name.py
index 7264ad0..7139c9b 100644
--- a/ice_validator/tests/test_non_server_name.py
+++ b/ice_validator/tests/test_non_server_name.py
@@ -167,4 +167,4 @@ def test_non_server_name_unique(heat_template):
     assert not bad, "Names must be unique," " not shared across resource ids.%s%s" % (
         delim,
         delim.join("%s: %s" % (name, list(value)) for name, value in bad.items()),
-    )
\ No newline at end of file
+    )