Escape media and version (prevent XSS); Handle extra versions

[0x0ade]

Rotonde doesn't escape the entry media, which allows anyone to hide anything in there.

    {
      "message": "Horrible idea of the day: #rotonde bot that reposts my Twitter timeline / Twitter client that works via #rotonde.",
      "timestamp": 1509975157676,
      "media": "<!--ext' style='display: none'></a><a class='media' href='https://twitter.com/0x0ade/status/927267952721833984' onmouseover='alert(\"XSS.\")'>Twitter</a><!----><a a='.png",
      "target": []
    }

Same goes to client_version:

"client_version": "0.1.67-dev<br><a href='https://twitter.com/0x0ade'>twttr</a>"

This changeset escapes the media URL using encodeURI and changes the portal version handling to

1. check the first line for the rotonde version
2. allow a second line to mark any "mod version".

I don't know how "strict" it should be, so I left room for some customization of the client version.

"client_version": "0.1.67\ntonne r0"

[eelfroth]

thanks for escaping those. nobody bothered to fix that security hole until now ¯\_(ツ)_/¯

[0x0ade]

I just noticed that names are affected, too; Lemme commit a fix for that, too

[neauoire]

I'll merge when names are escaped as well :)

[0x0ade]

This commit doesn't only escape names, but also targets. r.escape_html and r.escape_attr have been added for any future escaping needs :)

[neauoire]

Thanks a lot for this, I will give it its own version and seed it right away!