Escape logging servlet output (aka apply button bug)

When viewing the LoggingServlet (/logging) it is possible to edit the html (e.g. using firebug) and change the possible options of the dropdown logger selector. By placing raw HTML as the value of such an option, you are able to inject this HTML into the log4j collection of loggers. When later requesting the LoggingServlet, you are presented with the original raw html. By escaping the logger names this becomes harmless.
It is not possible to check whether a logger of that name exist, or whether the presented logger name contains only valid characters, all logger names with all characters are valid and are not all known at any point in time.