Fix XSS on project documentation

Vulnerability in deprecated project documentation functionality
($g_enable_project_documentation), allowing execution of arbitrary
code (if CSP settings permit it) after uploading an attachment with a
crafted filename.

Prevent the attack by sanitizing the filename before display.

Fixes 0026079 (clone of issue 0026078)

(cherry picked from commit bd094dede74ff6e313e286e949e2387233a96eea)