Merge pull request #11539 from internetarchive/fix-possible-xss

Restrict flash alert rendering

Author: cdrini

openlibrary/templates/site/body.html

@@ -27,7 +27,7 @@
       $#print errors (hidden by default as styles are loaded via JS)
       <div class="flash-messages">
       $for flash in get_flash_messages():
-        <div class="$flash.type"><span>$:flash.message</span></div>
+        <div class="$flash.type"><span>$flash.message</span></div>
       </div>
       $# Announcement banner will only be rendered if announcement and storage_key variables are set.
       $# Be sure to escape any single quotes inside of the announcement HTML string.