Escape variables interpolated into <script> within index.html

Django's escapejs prevents breaking out with an embedded </script> tag.

It only works on bare string contents, not JSON-ish lists and such.  So we
generate stream_list and people_list with template loops now.

(imported from commit 07fe4bebaa3fa11bc479b4378b8989560ce77f6f)

templates/zephyr/index.html

@@ -43,11 +43,25 @@
 
 <script type="text/javascript">
 {% autoescape off %}
+
+{# Not escaped, because it's guaranteed by the model to be an integer. #}
 var initial_pointer = {{ user_profile.pointer }};
-var email = "{{ user_profile.user.email }}";
+
-var stream_list = {{ streams }};
+var email = "{{ user_profile.user.email|escapejs }}";
-var people_list = {{ people }};
+var have_initial_messages = {{ have_initial_messages|escapejs }};
-var have_initial_messages = {{ have_initial_messages }};
+
+var stream_list = [
+{% for stream in streams %}
+    "{{ stream|escapejs }}",
+{% endfor %}
+];
+
+var people_list = [
+{% for person in people %}
+    "{{ person|escapejs }}",
+{% endfor %}
+];
+
 {% endautoescape %}
 </script>
 {% endblock %}

zephyr/views.py

@@ -173,8 +173,8 @@ def home(request):
     return render_to_response('zephyr/index.html',
                               {'user_profile': user_profile,
                                'email_hash'  : hashlib.md5(user_profile.user.email).hexdigest(),
-                               'people'      : simplejson.dumps(people),
+                               'people'      : people,
-                               'streams'     : simplejson.dumps(streams),
+                               'streams'     : streams,
                                'have_initial_messages':
                                    'true' if messages else 'false',
                                'show_debug':