PHRAS-3800_xss (#4219)

* add encode option to record::get_title ; render preview.record_title in twig

* html-escape facet values

lib/classes/module/report/nav.php

@@ -519,7 +519,7 @@ class module_report_nav extends module_report
             , 'record_id' => $record->getRecordId()
             , 'date'      => $this->app['date-formatter']->getPrettyString($document->get_creation_date())
             , 'type'      => $document->get_mime()
-            , 'titre'     => $record->get_title()
+            , 'titre'     => $record->get_title(['encode'=> record_adapter::ENCODE_FOR_HTML])
             , 'taille'    => $document->get_size()
         ];