1680: add sanitation of error-message from potentially external account_link partner

Author: kkoehn

app/services/task_service/push_external.rb

@@ -12,11 +12,10 @@ def execute
       body = @zip.string
       begin
         response = connection.post {|request| request_parameters(request, body) }
-        if response.success?
-          nil
-        else
-          response.status == 401 ? I18n.t('tasks.export_external_confirm.not_authorized', account_link: @account_link.name) : response.body
-        end
+        return nil if response.success?
+        return I18n.t('tasks.export_external_confirm.not_authorized', account_link: @account_link.name) if response.status == 401
+
+        ERB::Util.html_escape(response.body)
       rescue StandardError => e
         e
       end

spec/services/task_service/push_external_spec.rb

@@ -51,7 +51,13 @@
         let(:status) { 500 }
         let(:response) { 'an error occured' }
 
-        it { is_expected.to be response }
+        it { is_expected.to eql response }
+
+        context 'when response contains problematic characters' do
+          let(:response) { 'an <error> occurred' }
+
+          it { is_expected.to eql 'an &lt;error&gt; occurred' }
+        end
       end
 
       context 'when response status is 401' do