Merge "Escape the description param from heat template"

openstack_dashboard/dashboards/project/stacks/forms.py

@@ -13,6 +13,7 @@
 import json
 import logging
 
+from django.utils import html
 from django.utils.translation import ugettext_lazy as _
 from django.views.decorators.debug import sensitive_variables  # noqa
 
@@ -310,7 +311,7 @@ class CreateStackForm(forms.SelfHandlingForm):
             field_args = {
                 'initial': param.get('Default', None),
                 'label': param.get('Label', param_key),
-                'help_text': param.get('Description', ''),
+                'help_text': html.escape(param.get('Description', '')),
                 'required': param.get('Default', None) is None
             }