Restore htmlspecialchars() on the editToken value before outputting to HTML.

Restore htmlspecialchars() on the editToken value before outputting to HTML.
While at the moment the editToken() value is safe for literal inclusion is HTML output, it's a black-box value to the rest of the code and such safety is not guaranteed. Escaping text values being placed in HTML/XML attributes or text elements is a regular part of the output process and it's a bad habit to leave it out on text values that are produced elsewhere; they can and do change (such as all those localized messages which are now user-editable...)