Fixed $sanitizing so that XSS attack are not possible

[JonathanGawrych]

Fixes the problems discussed in issue #62

This pull request has 3 parts:
First, the value was never assigned to the returned sanitized value, so that part is fixed
Second, there was a small hole in $oldViewValue, iff bad code was loaded, and contained invalid HTML
Third, $formatters as well as $parsers need to be sanitized

Thanks!

[JonathanGawrych]

The small hole I talked about in the second part refers to this line

if(ngModel.$oldViewValue === undefined) ngModel.$oldViewValue = value;

An attacker may bypass $sanitize by summiting invalid html with an attack on the first run when $oldViewValue is undefined.
Here's how:

submit value with XSSAttackWithInvalidHTML
ngModel.$oldViewValue is undefined thus:
    ngModel.$oldViewValue is set to XSSAttackWithInvalidHTML
try to $sanitize(XSSAttackWithInvalidHTML):
    Error is thrown
    Goto catch block
catch error
    assumes $oldViewValue is safe
    returns $oldViewValue with XSSAttackWithInvalidHTML
Browser will reject invalid HTML, but will still accept the well-formed parts (XSSAttack)
    XSSAttack is executed

[JonathanGawrych]

Updated my pull request to include the minified version
minified using uglifyjs version: 2.4.9

[SimeonC]

Awesome thanks! I'll make sure to update the changes I'd done in 1.2.0 branch to include your work when I get the chance.

I'm intending on using an optional custom branch of angular-sanitize to allow certain styles/tags through, namely color in the style attribute at present as that's the only attribute that's impractical to use through classes. (That I've thought of so far).