feat($interpolate): escape interpolated expressions

[shahata]

the default escaped interpolation signs are {{{{ and }}}}. those symbols will be ignored when parsing the interpolated string and will only be replaced by {{ and }} in the result string. this allows servers that put unsafe strings inside html templates to replace {{ with {{{{ and optionally }} with }}}} in order to prevent XSS attacks.

Closes #5601

[mary-poppins]

Thanks for the PR! Please check the items below to help us merge this faster. See the contributing docs for more information.

• Uses the issue template (#7496)

If you need to make changes to your pull request, you can update the commit with git commit --amend.
Then, update the pull request with git push -f.

Thanks again for your help!

[shahata]

This is another approach to escaping interpolation signs in a more simplistic fashion than #5628. I think it is better since all it does is ignore {{{{ and }}}} when looking for expressions in the interpolated string and replace them with {{ and }} in the result string.

@caitp - what do you think about this?

[shahata]

I'm pretty frustrated with the split/join thing. The alternative is to either write a simple replaceAll function or use some ugly regexp escaping function so that we can replace(new RegExp(escapedStartRegexp, 'g'), startSymbol)

[shahata]

Also, I think escapedEndSymbol is pretty useless, maybe we can just remove it... (we can have a escapedStartSymbol method instead of adding the escaped param to the startSymbol method, seems more elegant in my opinion since currently startSymbol method is a kind of weird "set two things or get one thing")

[caitp]

then you'd render the wrong thing, anyways whatever, there's enough comments, take a break

[shahata]

I mean we could say that the server needs to escape only the start symbol. What do you mean by there's enough comments?

[shahata]

Closing in favour of #7517