Escape HTML of supporters

fixes #171

Author: hagenburger

source/localizable/index.html.erb

@@ -20,19 +20,19 @@
   <ul class="supporters--list">
     <% (data.supporters.usergroups + data.supporters.conferences).each do |supporter| %>
       <li id="supporters--<%= supporter.name.downcase.gsub(/\W/, '_') %>" class="supporters--item">
-        <h3 class="supporters--item-name"><%= supporter.name %></h3>
+        <h3 class="supporters--item-name"><%=h supporter.name %></h3>
         <div class="user group">
-          <span class="supporters--item-location"><%= supporter.city %>/<%= supporter.country %></span>
+          <span class="supporters--item-location"><%=h supporter.city %>/<%=h supporter.country %></span>
           <%= link_to supporter.link.sub(%r(https?://), ''), supporter.link, class: 'supporters--item-link' %>
           <%= link_to('@' + supporter.twitter, 'https://twitter.com/' + supporter.twitter, class: 'supporters--item-link') unless supporter.twitter.blank? %>
         </div>
         <ul class="supporters--contacts">
           <% supporter.contacts.each do |contact| %>
             <li class="supporters--contacts-item">
-              <%= contact.name %>
+              <%=h contact.name %>
               <% %w(email phone).each do |medium| %>
                 <% unless contact.send(medium).blank? %>
-                  <span class="supporters--contacts-item-<%= medium %>"><%= contact.send(medium) %></span>
+                  <span class="supporters--contacts-item-<%= medium %>"><%=h contact.send(medium) %></span>
                 <% end %>
               <% end %>
               <%= link_to('@' + contact.twitter, 'https://twitter.com/' + contact.twitter, class: 'supporters--contacts-item-twitter') unless contact.twitter.blank? %>