VIVO-861 Guard against Cross-Site Scripting attacks in the page title and in the body classes.

webapp/themes/vitro/templates/head.ftl

@@ -4,7 +4,7 @@
 <!-- Google Chrome Frame open source plug-in brings Google Chrome's open web technologies and speedy JavaScript engine to Internet Explorer-->
 <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
 
-<title>${siteName!}</title>
+<title>${(title?html)!siteName!}</title>
 
 <#include "stylesheets.ftl">
 <link rel="stylesheet" href="${urls.theme}/css/screen.css" />

webapp/web/templates/freemarker/page/partials/pageSetup.ftl

@@ -6,8 +6,10 @@ the domain of the controllers. -->
 
 <#assign bodyClasses>
     <#-- The compress directives and formatting here resolve whitespace issues in output; please do not alter them. -->
+    <#-- Add the ?html builtin to currentServlet to guard against hacks. 
+         Otherwise, the servletPath portion of the URL is rendered verbatim into the HTML -->
     <#compress>
-    <#assign bodyClassList = [currentServlet!]>
+    <#assign bodyClassList = [(currentServlet?html)!]>
     
     <#if user.loggedIn> 
         <#assign bodyClassList = bodyClassList + ["loggedIn"]/>