Use format_html for HTML-generating functions

[jardiacaj]

Currently the regular str.format() function is used in HTML-generating functions. For example:

finem_imperii/world/models/geography.py

Line 71 in 8ba540c

def get_html_link(self):

This forces to use the |safe tag in templates when outputting the result, which creates XSS vulnerabilities. For example:

finem_imperii/base/templates/base/base.html

Line 33 in 8ba540c

{{ request.hero.location.tile.get_html_link|safe }}.

A better solution would be to use django.utils.html.format_html(): https://docs.djangoproject.com/en/1.11/ref/utils/#django.utils.html.format_html

[jardiacaj]

This issue is now fixed. Thanks a lot for your help!