Fix #12570: Invalid XHTML due to lack of escaping of attachment URL

file_api returns attachment URLs in their raw unescaped format. Before
placing these URLs inside the "href" attribute of an "a" element we must
run it through string_attribute() first to escape ampersands and other
unsafe characters.

Within the same section of code a typo also existed with quotation marks
accidentally being outputted around a "class" attribute on a span
element.

Thanks to Tamás Gulácsi for the initial patch and bug report.

core/print_api.php

@@ -1670,7 +1670,7 @@ function print_bug_attachments_list( $p_bug_id ) {
 		}
 
 		if ( $t_attachment['can_download'] ) {
-			$t_href_start = "<a href=\"${t_attachment['download_url']}\">";
+			$t_href_start = '<a href="' . string_attribute( $t_attachment['download_url'] ) . '">';
 			$t_href_end = '</a>';
 
 			$t_href_clicket = " [<a href=\"file_download.php?file_id={$t_attachment['id']}&amp;type=bug\" target=\"_blank\">^</a>]";
@@ -1686,7 +1686,7 @@ function print_bug_attachments_list( $p_bug_id ) {
 		} else {
 			echo $t_href_start;
 			print_file_icon( $t_file_display_name );
-			echo $t_href_end . '&#160;' . $t_href_start . $t_file_display_name . $t_href_end . $t_href_clicket . ' (' . $t_filesize . ' ' . lang_get( 'bytes' ) . ') ' . '<span class=\"italic\">' . $t_date_added . '</span>';
+			echo $t_href_end . '&#160;' . $t_href_start . $t_file_display_name . $t_href_end . $t_href_clicket . ' (' . $t_filesize . ' ' . lang_get( 'bytes' ) . ') ' . '<span class="italic">' . $t_date_added . '</span>';
 
 			if ( $t_attachment['can_delete'] ) {
 				echo '&#160;[';