Don't use v-html for user-generated content

[reinierl]

When I: put <img src="" onerror="console.log('You have been pwned');" /> in my bio

Then I expect: to either literally see that in my bio when viewing the map, or not see the scriptkiddy HTML injection at all

But actually: "You have been pwned" gets output to the console.

This is a case of XSS.

It's already been fixed with 744cdff, but for the record.