html_repr may include unsanitized html code

[stephenworsley]

Relevant to #3313 and #3373.
It is currently possible to construct a cube whose attributes contain strings with arbitrary html in them (for example, cube.attributes['bad html'] = "...</td><td>---" would break the formatting of the table). Their html_repr is not currently sanitizing such text. It might be wise to call html.escape() on such text when it is used to construct html objects.

[pp-mo]

Hi @stephenworsley
Although #3373 closed, this still needs doing.
Is that right ??

[stephenworsley]

@pp-mo yes, this is addressed by #3378 and should be closed by it being merged (though as an issue it would still remain relevant to #3313). I mention #3313 and #3373 because there was a chance that they could introduce code that needed to be addressed by this issue. Though, with the way they are currently written, #3373 and #3378 ought to be compatible.

[pp-mo]

Addressed by #3378