CVE-2021-3853: Fix HTML escaping in recipient_row.

Commit 44f935695d (#20462) incorrectly
added these extra braces while intending to add whitespace control.
This triple-brace syntax was asking Handlebars to skip escaping the
string.

Signed-off-by: Anders Kaseorg <anders@zulip.com>

static/templates/recipient_row.hbs

@@ -17,7 +17,7 @@
                 {{/if}}
 
                 {{~! Recipient (e.g. stream/topic or topic) ~}}
-                {{~{display_recipient}~}}
+                {{~display_recipient~}}
             </a>
 
             {{! hidden narrow icon for copy-pasting }}