[backport] fix xss issues in timeline & lightbox confirmation

app/coffee/modules/common/confirm.coffee

@@ -56,9 +56,9 @@ class ConfirmService extends taiga.Service
         el = angular.element(lightboxSelector)
 
         # Render content
-        el.find("h2.title").html(title)
-        el.find("span.subtitle").html(subtitle)
-        el.find("span.message").html(message)
+        el.find("h2.title").text(title)
+        el.find("span.subtitle").text(subtitle)
+        el.find("span.message").text(message)
 
         # Assign event handlers
         el.on "click.confirm-dialog", "a.button-green", debounce 2000, (event) =>

app/modules/user-timeline/user-timeline-item/user-timeline-item-title.service.coffee

@@ -67,9 +67,11 @@ class UserTimelineItemTitle
                 if value == null && timeline.getIn(["data", "value_diff", "key"]) == 'assigned_to'
                     value = @translate.instant('ACTIVITY.VALUES.UNASSIGNED')
 
-                return value
+                new_value = value
             else
-                return timeline.getIn(["data", "value_diff", "value"]).first().get(1)
+                new_value = timeline.getIn(["data", "value_diff", "value"]).first().get(1)
+
+            return _.escape(new_value)
 
         sprint_name: (timeline, event) ->
             url = "project-taskboard:project=timeline.getIn(['data', 'project', 'slug']),sprint=timeline.getIn(['data', 'milestone', 'slug'])"
@@ -100,7 +102,7 @@ class UserTimelineItemTitle
             return @._getLink(url, text)
 
         role_name: (timeline, event) ->
-            return timeline.getIn(['data', 'value_diff', 'value']).keySeq().first()
+            return _.escape(timeline.getIn(['data', 'value_diff', 'value']).keySeq().first())
     }
 
     constructor: (@translate) ->