HTML render should be escaped

[mehaase]

The render_html() method does not sanitize outputs. If a database field contains <script>alert(1)</script>, this will lead to code execution in the user's browser.

Simple fix, change from this:

    		echo "\t<td>$cell</td>\n";

...to this:

    		$cell = htmlspecialchars($cell);
    		echo "\t<td>$cell</td>\n";