One of my tests outputs text that contains what looks like an HTML tag:
ok 19 - msg is "defO01<<TRUNCATED>>"
The Description column for this test on the TAP Extended Test Results page looks like this:
- msg is "defO01<>"
When I browse the source HTML for this section of the page, the text from the TAP output is definitely not being escaped. This could lead to cross-site scripting issues.