Fix XSS on manage_custom_field_edit_page.php

Thanks to Feras AL-KASSAR (SAP) en.feras@hotmail.com who reported
this vulnerability, which was discovered in the context of the EU
research project TESTABLE.

Unescaped output of 'return' parameter allows an attacker to inject code
into a hidden input field in the manage-custom-field-update-form.

Fixes 0028552, CVE-2021-33557