web: use html/template

so output is safe against code injection

httpd/internal_test.go

@@ -3,10 +3,10 @@ package httpd
 import (
 	"context"
 	"fmt"
+	"html/template"
 	"net/http"
 	"net/http/httptest"
 	"testing"
-	"text/template"
 
 	"github.com/drakkan/sftpgo/dataprovider"
 	"github.com/go-chi/chi"

httpd/web.go

@@ -2,11 +2,11 @@ package httpd
 
 import (
 	"fmt"
+	"html/template"
 	"net/http"
 	"path/filepath"
 	"strconv"
 	"strings"
-	"text/template"
 
 	"github.com/drakkan/sftpgo/dataprovider"
 	"github.com/drakkan/sftpgo/sftpd"

templates/user.html

@@ -48,7 +48,7 @@
     <div class="form-group row">
         <label for="idPermissions" class="col-sm-2 col-form-label">Permissions</label>
         <div class="col-sm-10">
-            <select class="form-control id=" idPermissions" name="permissions" required multiple>
+            <select class="form-control" id="idPermissions" name="permissions" required multiple>
                 {{range $validPerm := .ValidPerms}}
                 <option value="{{$validPerm}}"
                     {{range $perm := $.User.Permissions}}{{if eq $perm $validPerm}}selected{{end}}{{end}}>{{$validPerm}}