Sanitize confirmation parameters (#2736)

app/views/devise/confirmations/show.html.erb

@@ -1,6 +1,6 @@
 
 <div class="container-fluid h-100 mx-0 py-0 px-0 bg-light">
   <div class="d-flex flex-column min-vh-100 justify-content-center align-items-center bg-light">
-    <%= link_to t('confirmation_go'), user_confirmation_path({ confirmation_token: params[:confirmation_token], go: true}) %>
+    <%= link_to t('confirmation_go'), user_confirmation_path({ confirmation_token: h(params[:confirmation_token]), go: true}) %>
   </div>
 </div>