XSS in HTML Report (Unescaped Link URLs)

[keraattin]

Bug Description
html_generator.py does not escape link URLs or attachment filenames before inserting them into the HTML report. If an email contains a URL with HTML special characters (e.g. "><script>alert(1)</script>), opening the generated report in a browser executes the injected script. The headers section correctly uses html.escape(), but the links and attachments sections do not.

Expected Behavior or Results
All values sourced from the email (URLs, filenames) should be escaped with html.escape() before being inserted into the HTML report.

Reproduce Steps

1. Craft an .eml with a link href containing "><script>alert(document.cookie)</script>
2. Run python3 email-analyzer.py -f sample.eml -l -o report.html
3. Open report.html in a browser — observe the alert fires

Desktop (please complete the following information):

• OS with Version: Any
• Python Version: Python 3.10+
• Browser with Version: Any
• EmailAnalyzer Project Version: v2.0

Additional context
Affected code — html_generator.py line 74 (links) and line 130 (attachments) missing html.escape().
Compare to the correct implementation at line 22 (headers):

html += f"<tr><td>{ str(key) }</td><td>{ escape(str(value)) }</td></tr>"