Fix XSS on timeline (CVE-2019-15074)

Kamran Saifullah reported a stored cross-site scripting (XSS)
vulnerability in Timeline, allowing execution of arbitrary code (if CSP
settings permit it) after uploading an attachment with a crafted
filename. The code is executed for any user having visibility to the
issue, whenever My View Page is displayed.

Prevent the attack by sanitizing the filename before display.

Fixes 0025995