Various fixes for XSS and bad crypto. No claim to completeness.

* Fix a XSS reported in
  https://trac.torproject.org/projects/tor/ticket/14037
* Fix horrible use of crypto primitives.
* Add HMAC authentication to authtoken.
* Verify that the uid passed as a get parameters matches the
  one stored in authtoken.