Protect against XSS in diff-view by using application/json

[olsen232]

Description

As discussed in #883
No extra tests yet, this is all the time I was willing to spend on it for right now.

Not clear if tests would be super valuable - we could test the following:

• does html.escape escape the characters that it says it escapes
• does json.dumps create valid json (ie, can we load it using json.loads)
  but honestly it seems like these would be pretty well tested already

We can't really test the following:

• is html.escape guaranteed XSS safe for whatever browser the user has
• is json.dumps guaranteed XSS safe for whatever browser the user has (ie, it won't get tripped up by {"xss": "</script><script>alert(1)</script>"} or some nonsense)
• does the user's browser respect <script type="application/json"> and not allow XSS inside it? (my one does so that's good)

Checklist:

• Have you reviewed your own change?
• Have you included test(s)?
• Have you updated the changelog?

[olsen232]

@enricofer Find slightly improved diff-view.html template that is more secure against XSS attacks - you can copy the changes to your own HTML template(s).