HTML render should be escaped

The `render_html()` method does not sanitize outputs. If a database field contains `<script>alert(1)</script>`, this will lead to code execution in the user's browser.

Simple fix, change from this:

```
    		echo "\t<td>$cell</td>\n";
```

...to this:
```
    		$cell = htmlspecialchars($cell);
    		echo "\t<td>$cell</td>\n";
```