Certificate fields injection via %D in ERR_SECURE_CONNECT_FAIL (#306)

Certificate fields injection via %D in ERR_SECURE_CONNECT_FAIL (#306)

%ssl_subject, %ssl_ca_name, and %ssl_cn values were not properly escaped
when %D code was expanded in HTML context of the ERR_SECURE_CONNECT_FAIL
template. This bug affects all ERR_SECURE_CONNECT_FAIL page templates
containing %D, including the default template.

Other error pages are not vulnerable because Squid does not populate %D
with certificate details in other contexts (yet).

Thanks to Nikolas Lohmann [eBlocker] for identifying the problem.

TODO: If those certificate details become needed for ACL checks or other
non-HTML purposes, make their HTML-escaping conditional.

This is a Measurement Factory project.