Escape html in connection form

[chrfoyer]

closes: #36270

Avoid malicious scripts by escaping html tags in the different fields. This does not apply to the password because it is not a string field.

Previous attempt PR: #37316

My previous attempt used a new validator to raise an exception if there were html tags, but now they are simply escaped. This allows the user to still put in the tags, but they will be showed as text instead of rendered (or worse executed in the case of a

Additionally, I have used the most recent version of the main branch possible to avoid the conflicts that were previously present.

Thanks again @potiuk and @hussein-awala for your feedback. Please let me know how I can improve this further

[chrfoyer]

We have a module to test the connection view, could you add some tests for this change? https://github.com/apache/airflow/blob/main/tests/www/views/test_views_connection.py

The tests are now updated

[uranusjr]

This seems a bit weird to me. Does this make the value in the database to be escaped? Escaping on input is generally the wrong thing to do; escaping on output is generally more correct.

[chrfoyer]

This seems a bit weird to me. Does this make the value in the database to be escaped? Escaping on input is generally the wrong thing to do; escaping on output is generally more correct.

Ok I can understand that reasoning. I will implement the change and request review when ready

[eladkal]

@chrfoyer are you still working on this PR?

[github-actions[bot]]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed in 5 days if no further activity occurs. Thank you for your contributions.