Defuse XSS in Calendar

Summary: addDetail() takes HTML because we have links there fairly often. :/ This design is iffy.

Test Plan: Reloaded /calendar/status/, verified no XSS.

Reviewers: btrahan, vrana

Reviewed By: vrana

CC: aran

Maniphest Tasks: T139

Differential Revision: https://secure.phabricator.com/D4074