Fix an XSS vulnerability in the reviews dropdown.

The reviews dropdown had a bad vulnerability where it would assume the
user's full name is valid HTML. This allowed the user to craft a script
tag that would be executed every time the name appeared in the dropdown.

This vulnerability exists in 1.6.x, 1.7.x, and the in-development 1.8.
There are no known attacks in the wild.

This was reported by Craig Young at Tripwire.

Added some HTML to some users' first and last names. Before this change,
I saw the result of the HTML. After, I saw the HTML tags as text, escaped.