Fix reflected XSS in /metrics/find via from/until parameters

[Copilot]

User-supplied from and until parameters were reflected unescaped in error messages from the /metrics/find endpoint, allowing script injection via malformed date values (e.g. ?from=<script>alert('XSS')</script>).

The htmlEscape() call in handleInputParameterError was already present, but test coverage had gaps and the test assertion helper itself was broken.

Changes

• tests/base.py — Fix two bugs in is_unsafe_str() that made XSS assertions unreliable:

  • return False was indented inside the for loop, so > was never checked
  • > 0 should be >= 0 (missed characters at position 0)

• tests/test_xss.py:

  • Add until to both FindXSSTest and RenderXSSTest — it was tested for from but not until
  • Add test_find_xss_script_tag covering the exact issue payload (<script>alert('XSS')</script>) against both from and until

# Before fix — response contained raw user input:
Invalid value '<script>alert('XSS')</script>' for param from: ...

# After (already in errors.py via htmlEscape):
Invalid value '&lt;script&gt;alert('XSS')&lt;/script&gt;' for param from: ...

---

📍 Connect Copilot coding agent with Jira, Azure Boards or Linear to delegate work to Copilot in one click without leaving your project management tool.

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 76.80%. Comparing base (156559e) to head (5df4cd4).
⚠️ Report is 23 commits behind head on master.
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #2907      +/-   ##
==========================================
+ Coverage   76.42%   76.80%   +0.37%     
==========================================
  Files          88       88              
  Lines        9688     9700      +12     
  Branches     1802     1805       +3     
==========================================
+ Hits         7404     7450      +46     
+ Misses       2024     1983      -41     
- Partials      260      267       +7     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.