Fix 0012570: Invalid XHTML due to lack of escaping of attachment URL

file_api returns attachment URLs in their raw unescaped format. Before
placing these URLs inside the "href" attribute of an "a" element we must
run it through string_attribute() first to escape ampersands and other
unsafe characters.

Within the same section of code a typo also existed with quotation marks
accidentally being outputted around a "class" attribute on a span
element.

Thanks to Tamás Gulácsi for the initial patch and bug report.