Encode '\' in string_sanitize_url()

As an extra safety measure following up on the fix for CVE-2017-7620, we
encode the backslashes in the 'script' part of the URL to ensure that
the sanitized URL is treated as a path relative to MantisBT root and not
a link to an external site if the URL begins with an escaped /.

This reduces the risk of someone being able to use the same attack
vector in another page.

Fixes 0022702, 0022816