Fix XSS in Special Appointment Banner

Special appointment details are provided by the user and as such we need
to treat that input as untrusted. This commit ensures that any HTML in
the details is properly escaped before being rendered.

Author: jabley

manage_breast_screening/mammograms/jinja2/mammograms/special_appointments/special_appointment_banner.jinja

@@ -6,21 +6,19 @@
       {% set rows = [] %}
       {% for reason in presented_special_appointment.reasons %}
         {# Build the value content (details) #}
-        {% set value_content = "" %}
+        {% set value = {} %}
         {% if reason.details %}
-          {% set value_content = reason.details %}
+          {% set value = {"html": reason.details | e} %}
         {% else %}
-          {% set value_content = "<span class=\"nhsuk-u-secondary-text-colour\">No details provided</span>" %}
+          {% set value = {"html": "<span class=\"nhsuk-u-secondary-text-colour\">No details provided</span>"} %}
         {% endif %}
 
         {# Add row for this support reason #}
         {% do rows.append({
           "key": {
             "text": reason.label
           },
-          "value": {
-            "html": value_content | safe
-          }
+          "value": value
         }) %}
       {% endfor %}
       {{ summaryList({

manage_breast_screening/mammograms/tests/jinja2/test_special_appointment_banner.py

@@ -112,3 +112,51 @@ def test_special_appointment_banner_without_change_link(jinja_env, presenter):
         </div>
     """,
     )
+
+
+def test_special_appointment_banner_escapes_malicious_details(jinja_env):
+    malicious_details = "<script>alert(1)</script>"
+    presenter = SpecialAppointmentPresenter(
+        {
+            "PHYSICAL_RESTRICTION": {
+                "details": malicious_details,
+            }
+        },
+        "68d758d0-792d-430f-9c52-1e7a0c2aa1dd",
+    )
+
+    template = jinja_env.from_string(
+        dedent(
+            r"""
+                {% from 'mammograms/special_appointments/special_appointment_banner.jinja' import special_appointment_banner %}
+                {{ special_appointment_banner(presenter, show_change_link=False) }}
+                """
+        )
+    )
+
+    response = template.render({"presenter": presenter})
+
+    assertHTMLEqual(
+        response,
+        """
+        <div class="nhsuk-card nhsuk-card--warning">
+            <div class="nhsuk-card__content">
+                <h3 class="nhsuk-card__heading"><span role="text">
+                <span class="nhsuk-u-visually-hidden">Important: </span>
+                Special appointment
+                </span></h3>
+
+                <dl class="nhsuk-summary-list app-special-appointment-banner">
+                    <div class="nhsuk-summary-list__row">
+                        <dt class="nhsuk-summary-list__key">
+                        Physical restriction
+                        </dt>
+                        <dd class="nhsuk-summary-list__value">
+                        &lt;script&gt;alert(1)&lt;/script&gt;
+                        </dd>
+                    </div>
+                </dl>
+            </div>
+        </div>
+        """,
+    )