When constructing paths to image files to serve, we previously spliced
strings from URL requests directly into the path to be opened. This is
theoretically worrisome because it could allow clients to read other
files that they are not supposed to read.
I'm not actually sure this is a real security problem because Flask's
URL parsing should probably rule out IDs that have `/` in them anyway.
But out of an abundance of caution, this now prevents paths from showing
up in IDs at all---and also prevents `.` and `..` from being valid
names.
displayable_path may remove 'bad' characters, yielding a wrong path.
Also use track.path rather than track.destination() as that is where
the file is actually located rather than where it should be located
according to the beets path system.
