XXS fixes:
- escape output from the imap server that is sent directly to the browser
- make sure other vars that are used in URLs etc are properly urlencoded and
cast vars that are ints to (int) so malicious code is removed automatically.