Escape all unsafe html for grid data

tailbone/grids/core.py

@@ -1651,7 +1651,11 @@ class Grid(object):
                     value = self.obtain_value(rowobj, name)
                 if value is None:
                     value = ""
-                row[name] = str(value)
+
+                # this value will ultimately be inserted into table
+                # cell a la <td v-html="..."> so we must escape it
+                # here to be safe
+                row[name] = HTML.literal.escape(value)
 
             # maybe add UUID for convenience
             if 'uuid' not in self.columns: