Fix h1 report 173501

Persistent  XSS
---------------

The HackerOne user pavanw3b has reported that the Revive Adserver was
vulnerable to a persistent XSS attack: an authenticated user could set their
own email address to a specifically crafted string which was then displayed
without proper escaping in the context of other users (e.g. the administrator
user), giving them an opportunity to steal a session with elevated privileges.

CWE-ID: CWE-79

CVSSv3 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
CVSSv3 Base Score: 4.2
CVSSv3 Temporal Score: 3.7

lib/templates/admin/user-access.html

@@ -44,10 +44,10 @@
     <tbody class="{$rowType}">
       <tr height="25" {if $user.justModified}class="hl"{/if}>
       {if $sso}
-        <td class="first"><a href="{$editPage}?userid={$user.user_id}{if $entityIdName}&amp;{$entityIdName}={$entityIdValue}{/if}">{$user.email_address}</a></td>
+        <td class="first"><a href="{$editPage}?userid={$user.user_id}{if $entityIdName}&amp;{$entityIdName}={$entityIdValue}{/if}">{$user.email_address|escape}</a></td>
       {else}
         <td class="first"><a href="{$editPage}?userid={$user.user_id}{if $entityIdName}&amp;{$entityIdName}={$entityIdValue}{/if}">{$user.username|escape}</a></td>
-        <td><a href="{$editPage}?userid={$user.user_id}{if $entityIdName}&amp;{$entityIdName}={$entityIdValue}{/if}">{$user.email_address}</a></td>
+        <td><a href="{$editPage}?userid={$user.user_id}{if $entityIdName}&amp;{$entityIdName}={$entityIdValue}{/if}">{$user.email_address|escape}</a></td>
       {/if}
         <td>{$user.contact_name|escape}</td>
       {if $sso}