Fix for XSS vulnerability

ClearIT informed us about a video from customer ComHem that showed
how a carefully constructed message which includes a as of right
now unknown Javascript file that allowed the customer from the External.app chat
see the agents username and password.

The code now escapes a few characters with HTML entity encoding to prevent this sort of attack.
The code escapes the following characters

& into &
< into &lt;
> into &gt;
" into &quot;
' into &#x27;
/ into &#x2F;

This has been done according to the recommendation found here:
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

lib/InternalChatProtocol.fe

@@ -91,8 +91,16 @@ namespace ChatMCAM {
 	}
 
 	function _formatBody( string body ) {
-		object r = new Regexp('(\b(https?|ftp):\/\/[-A-Z0-9+&@#\/%?=~_|!:,.;]*[-A-Z0-9+&@#\/%=~_|])', 'i');
-		return r.replaceAll(body, '<a style="color:#333399;" target="_blank" href="\1">\1</a>');
+		object r;
+		body = Regexp.replaceAll('&', body, '&amp;');
+		body = Regexp.replaceAll('<', body, '&lt;');
+		body = Regexp.replaceAll('>', body, '&gt;');
+		body = Regexp.replaceAll('"', body, '&quot;');
+		body = Regexp.replaceAll("'", body, '&#x27;');
+		body = Regexp.replaceAll('/', body, '&#x2F;');
+		r = new Regexp('(\b(https?|ftp):\/\/[-A-Z0-9+&@#\/%?=~_|!:,.;]*[-A-Z0-9+&@#\/%=~_|])', 'i');
+		body = r.replaceAll(body, '<a style="color:#333399;" target="_blank" href="\1">\1</a>');
+		return body;
 	}
 
 	function _getList( array area_ids, array user_ids) {