Defuse XSS in Calendar

Summary: `addDetail()` takes HTML because we have links there fairly often. :/ This design is iffy.

Test Plan: Reloaded `/calendar/status/`, verified no XSS.

Reviewers: btrahan, vrana

Reviewed By: vrana

CC: aran

Maniphest Tasks: T139

Differential Revision: https://secure.phabricator.com/D4074

src/applications/calendar/controller/PhabricatorCalendarViewStatusController.php

@@ -73,7 +73,7 @@ final class PhabricatorCalendarViewStatusController
         ->setHref($href)
         ->addDetail(
           pht('Description'),
-          $status->getDescription())
+          phutil_escape_html($status->getDescription()))
         ->addAttribute(pht('From %s', $from))
         ->addAttribute(pht('To %s', $to));