Some cleanup for r36609:

Some cleanup for r36609:
$url and $alt parameters in makeExternalImage() are now normalized to be escaped on output instead of before they reach the function. This ensures that any hooks processing them won't accidentally send plaintext which might become an injection vector, or just get confused on pre-escaped input they didn't expect.