Sanitation of metadata passed from Django

We need to escape HTML in metadata passed from Django, which
can lead to security issues. Refer to the bug for more details.

Co-Authored-By: Szymon Wroblewski <szymon.wroblewski@intel.com>
Change-Id: I4821eacb0bb274befab7995f3a8f87c82d3997f5
Closes-bug: #1449260

horizon/templates/horizon/common/_modal_form_update_metadata.html

@@ -11,8 +11,8 @@
                     existing="existing"
                     model="tree"></hz-metadata-tree>
   <script type="text/javascript">
-    var existing_metadata = {{ existing_metadata|safe }};
-    var available_metadata = {{ available_metadata|safe }};
+    var existing_metadata = JSON.parse('{{ existing_metadata|escapejs }}');
+    var available_metadata = JSON.parse('{{ available_metadata|escapejs }}');
   </script>
 {% endblock %}