[Fix] Mitigate XSS attack vector by cleaning input before it hits our Database (#171)

## Changes

- All text input fields are now cleaned with nh3 to remove html tags. We allow certain html tags under `settings.py/ALLOWED_HTML_TAGS` so we can easily update the tags we allow in the future.
- All names and descriptions now use the template tag `nh_safe` in all html files.
- Usernames and emails are a small exception and are not allowed any html tags

Co-authored-by: Liam Brydon <62733830+MyCreativityOutlet@users.noreply.github.com>
Co-authored-by: jebus <lorsbach@envipath.com>
Co-authored-by: Tim Lorsbach <tim@lorsba.ch>
Reviewed-on: enviPath/enviPy#171
Reviewed-by: jebus <lorsbach@envipath.com>
Co-authored-by: liambrydon <lbry121@aucklanduni.ac.nz>
Co-committed-by: liambrydon <lbry121@aucklanduni.ac.nz>

templates/modals/objects/edit_group_member_modal.html

@@ -1,3 +1,4 @@
+
 {% load static %}
 <!-- Edit Package Permission -->
 <div id="edit_group_member_modal" class="modal" tabindex="-1">
@@ -39,7 +40,7 @@
                                 {% endfor %}
                                 <option disabled>Groups</option>
                                 {% for g in groups %}
-                                <option value="{{ g.url }}">{{ g.name }}</option>
+                                <option value="{{ g.url }}">{{ g.name|safe }}</option>
                                 {% endfor %}
                             </select>
                             <input type="hidden" name="action" value="add">
@@ -81,7 +82,7 @@
                           accept-charset="UTF-8" action="" data-remote="true" method="post">
                         {% csrf_token %}
                         <div class="col-xs-8">
-                            {{ g.name }}
+                            {{ g.name|safe }}
                             <input type="hidden" name="member" value="{{ g.url }}"/>
                             <input type="hidden" name="action" value="remove">
                         </div>