fix(security): escape user input in validation error HTML

format_validation_errors interpolated Pydantic error messages directly into
HTML. Some messages echo user input (e.g. "Invalid group name '<name>'"), so
a crafted group name was reflected as raw HTML — a stored/reflected XSS.

HTML-escape each formatted message before interpolation.

Refs: porchlight-due

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

tests/test_validation.py

@@ -292,3 +292,15 @@ class TestFormatValidationErrors:
             result = format_validation_errors(exc)
             assert "Picture URL must be a valid HTTP or HTTPS URL" in result
             assert "Value error" not in result
+
+    def test_escapes_user_input_in_error_message(self) -> None:
+        # A validation error message that echoes user input (e.g. an invalid
+        # group name) must not emit raw HTML — otherwise it is reflected XSS.
+        payload = "<img src=x onerror=alert(1)>"
+        try:
+            GroupListInput(groups=payload)
+        except ValidationError as exc:
+            result = format_validation_errors(exc)
+            assert payload not in result
+            assert "&lt;img src=x onerror=alert(1)&gt;" in result
+            assert "<img" not in result