[Fix] Mitigate XSS attack vector by cleaning input before it hits our Database (#171)

## Changes

- All text input fields are now cleaned with nh3 to remove html tags. We allow certain html tags under `settings.py/ALLOWED_HTML_TAGS` so we can easily update the tags we allow in the future.
- All names and descriptions now use the template tag `nh_safe` in all html files.
- Usernames and emails are a small exception and are not allowed any html tags

Co-authored-by: Liam Brydon <62733830+MyCreativityOutlet@users.noreply.github.com>
Co-authored-by: jebus <lorsbach@envipath.com>
Co-authored-by: Tim Lorsbach <tim@lorsba.ch>
Reviewed-on: enviPath/enviPy#171
Reviewed-by: jebus <lorsbach@envipath.com>
Co-authored-by: liambrydon <lbry121@aucklanduni.ac.nz>
Co-committed-by: liambrydon <lbry121@aucklanduni.ac.nz>

templates/modals/objects/manage_api_token_modal.html

@@ -1,3 +1,4 @@
+
 <div class="modal fade"
      tabindex="-1"
      id="manage_api_token_modal"
@@ -41,7 +42,7 @@
                         <div class="input-group">
                             <input type="hidden" name="hidden" value="delete">
                             <input type="hidden" name="token-id" value="{{ t.pk }}">
-                            <input type="text" class="form-control" value="{{ t.name }}" disabled>
+                            <input type="text" class="form-control" value="{{ t.name|safe }}" disabled>
                             <span class="input-group-btn">
                                 <button type="submit" class="btn btn-danger">Delete</button>
                             </span>