Fix XSS vulnerability in flash banner

We were making the body of any flash message as HTML safe, but that may
not always be the case.

There's only one place in the code where we relied on this
functionality, and it was to format the batch number in a particular
way. For now, it's much easier to remove that formatting.

We can't know if the input is HTML safe as it's stored in the session
and we lose that information (even if `html_safe` is called).

Jira-Issue: MAV-6743

Author: thomasleese

app/components/app_flash_message_component.html.erb

@@ -5,11 +5,11 @@
      success: success?,
    ) do |notification_banner| %>
   <% notification_banner.with_heading(
-       text: heading.html_safe,
+       text: heading,
        link_text: heading_link_text,
        link_href: heading_link_href,
      ) if heading.present? %>
   <% if body.present? %>
-    <p><%= body.html_safe %></p>
+    <p><%= body %></p>
   <% end %>
 <% end %>

app/controllers/batches_controller.rb

@@ -26,8 +26,7 @@ def create
     if expiry_validator.date_params_valid? && @form.save
       redirect_to vaccines_path,
                   flash: {
-                    success:
-                      "Batch <span class=\"nhsuk-u-text-break-word\">#{batch.number}</span> added".html_safe
+                    success: "Batch #{batch.number} added"
                   }
     else
       @form.expiry = expiry_validator.date_params_as_struct

spec/components/app_flash_message_component_spec.rb

@@ -89,6 +89,36 @@
         include("Success body")
       )
     end
+
+    context "when heading contains HTML but is not marked as safe" do
+      before { flash[:success][:heading] = "<p>HTML</p>" }
+
+      it "doesn't render the heading as HTML" do
+        expect(
+          rendered.css(".nhsuk-notification-banner__content").inner_html
+        ).to(include("&lt;p&gt;HTML&lt;/p&gt;"))
+      end
+    end
+
+    context "when body contains HTML that is marked as safe" do
+      before { flash[:success][:body] = "<p>HTML</p>".html_safe }
+
+      it "doesn't render the body as HTML" do
+        expect(
+          rendered.css(".nhsuk-notification-banner__content").inner_html
+        ).to(include("<p>HTML</p>"))
+      end
+    end
+
+    context "when body contains HTML but is not marked as safe" do
+      before { flash[:success][:body] = "<p>HTML</p>" }
+
+      it "doesn't render the body as HTML" do
+        expect(
+          rendered.css(".nhsuk-notification-banner__content").inner_html
+        ).to(include("&lt;p&gt;HTML&lt;/p&gt;"))
+      end
+    end
   end
 
   describe "the role attribute" do