Fix html escaping

Change-Id: I34c188f997cef24497ded6f912b357e9a6eefddc
Closes-bug: #1612988

Author: viraptor

bandit/formatters/html.py

@@ -146,6 +146,7 @@
 
 """
 
+import cgi
 import logging
 import sys
 
@@ -334,14 +335,15 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1):
     for index, issue in enumerate(issues):
         if not baseline or len(issues[issue]) == 1:
             candidates = ''
-            code = code_block.format(code=issue.get_code(lines, True).
-                                     strip('\n').lstrip(' '))
+            safe_code = cgi.escape(issue.get_code(lines, True).
+                                   strip('\n').lstrip(' '))
+            code = code_block.format(code=safe_code)
         else:
             candidates_str = ''
             code = ''
             for candidate in issues[issue]:
-                candidate_code = (candidate.get_code(lines, True).strip('\n').
-                                  lstrip(' '))
+                candidate_code = cgi.escape(candidate.get_code(lines, True).
+                                            strip('\n').lstrip(' '))
                 candidates_str += candidate_issue.format(code=candidate_code)
 
             candidates = candidate_block.format(candidate_list=candidates_str)

tests/unit/formatters/test_html.py

@@ -128,6 +128,26 @@ def test_report_contents(self, get_issue_list, get_code):
             self.assertIn('CCCCCCC', issue1.text)
             self.assertIn('abc.py', issue1.text)
 
+    @mock.patch('bandit.core.issue.Issue.get_code')
+    @mock.patch('bandit.core.manager.BanditManager.get_issue_list')
+    def test_escaping(self, get_issue_list, get_code):
+        self.manager.metrics.data['_totals'] = {'loc': 1000, 'nosec': 50}
+        marker = '<tag in code>'
+
+        issue_a = _get_issue_instance()
+        issue_x = _get_issue_instance()
+        get_code.return_value = marker
+
+        get_issue_list.return_value = {issue_a: [issue_x]}
+
+        tmp_file = open(self.tmp_fname, 'w')
+        b_html.report(
+            self.manager, tmp_file, bandit.LOW, bandit.LOW)
+
+        with open(self.tmp_fname) as f:
+            contents = f.read()
+        self.assertNotIn(marker, contents)
+
 
 def _get_issue_instance(severity=bandit.MEDIUM, confidence=bandit.MEDIUM):
     new_issue = issue.Issue(severity, confidence, 'Test issue')