correlations: Escape strings for html

Improves upon commit 63aff5ca22cfb5caaa38ac1d737afa48fc8dbf02

1 files changed, 5 insertions, 2 deletions

diff --git a/wqflask/wqflask/correlation/show_corr_results.py b/wqflask/wqflask/correlation/show_corr_results.py
index 825aac70..06db20c2 100644
--- a/wqflask/wqflask/correlation/show_corr_results.py
+++ b/wqflask/wqflask/correlation/show_corr_results.py
@@ -18,6 +18,7 @@
 #
 # This module is used by GeneNetwork project (www.genenetwork.org)
 
+import html
 import json
 
 from base.trait import create_trait, jsonable
@@ -203,7 +204,8 @@ def populate_table(dataset_metadata, target_dataset, this_dataset, corr_results,
                 results_dict['mean'] = "N/A"
                 results_dict['additive'] = "N/A"
                 if target_trait['description'].strip():
-                    results_dict['description'] = target_trait['description'].strip().replace("<", "&lt;").replace(">", "&gt;")
+                    results_dict['description'] = html.escape(
+                        target_trait['description'].strip(), quote=True)
                 if target_trait['mean']:
                     results_dict['mean'] = f"{float(target_trait['mean']):.3f}"
                 try:
@@ -237,7 +239,8 @@ def populate_table(dataset_metadata, target_dataset, this_dataset, corr_results,
                     results_dict['abbreviation'] = target_trait['abbreviation']
 
                 if target_trait["description"].strip():
-                    results_dict['description'] = target_trait['description'].strip().replace("<", "&lt;").replace(">", "&gt;")
+                    results_dict['description'] = html.escape(
+                        target_trait['description'].strip(), quote=True)
 
                 if target_trait["mean"]:
                     results_dict['mean'] = f"{float(target_trait['mean']):.3f}"