Fix XSS in view_all_bug_page.php (CVE-2020-16266)

Hanno Boeck reported a stored cross-site scripting (XSS) vulnerability,
originally discovered by Jaime Andres Restrepo.

Improper escaping on view_all_bug_page.php allowed a remote attacker to
inject arbitrary HTML into the page by saving it into a text Custom
Field, leading to possible code execution in the browser of any user
subsequently viewing the issue (if CSP settings allow it).

Prevent the attack by properly escaping the custom field's contents
before display.

Fixes 0027056