Escape the player's name when printing it into HTML.

Non-alphanumeric characters in names may eventually be possible.

web/scoring/players/index.cgi

@@ -2,6 +2,7 @@
 
 import os
 import sys
+import html
 import rlgall
 
 playerdir = "/var/www/lighttpd/scoring/players/"
@@ -26,7 +27,7 @@ if not namelist:
 else:
   sys.stdout.write("<ul>\n")
   for name in namelist:
-    sys.stdout.write(linkstr.format(name))
+    sys.stdout.write(linkstr.format(html.escape(name)))
   sys.stdout.write("</ul>\n")
 
 sys.stdout.write(rlgall.pend)