fix xss with service letter contact blocks

service contact blocks contain new lines - and jinja2 normally ignores
newlines (as in it keeps them as new lines) - but we need to turn them
into `<br>` tags so that we can show the formatting that the user has
added. We were previously just doing `{{ block | nl2br | safe }}`. nl2br
turns the new lines into `<br>` tags, and then `safe` tells jinja that
it doesn't need to escape the html.

this causes issues if the user adds `<script>alert(1)</script>` to their
contact block (or some other evil xss hack), where that will get let
through due to the safe flag

To solve this, use `Markup(html='escape')` to sanitise any html, and
then convert new lines to <br>.

bump utils

another xss

app/models/service.py

@@ -1,7 +1,4 @@
-from flask import Markup, abort, current_app
-from notifications_utils.field import Field
-from notifications_utils.formatters import nl2br
-from notifications_utils.take import Take
+from flask import abort, current_app
 from werkzeug.utils import cached_property
 
 from app.models import JSONModel
@@ -358,13 +355,11 @@ class Service(JSONModel):
 
     @property
     def default_letter_contact_block_html(self):
+        # import in the function to prevent cyclical imports
+        from app import nl2br
+
         if self.default_letter_contact_block:
-            return Markup(Take(Field(
-                self.default_letter_contact_block['contact_block'],
-                html='escape',
-            )).then(
-                nl2br
-            ))
+            return nl2br(self.default_letter_contact_block['contact_block'])
         return ''
 
     def edit_letter_contact_block(self, id, contact_block, is_default):