Migrate to pagedown for markdown parsing

[balloob]

We have recently been notified by Marcin Teodorczyk from https://www.intive.com about a vulnerability in Home Assistant: we did not sanitize the Markdown output. This means that our users have been vulnerable to script injection attacks. The severity is low, as to be able to create a persistent notification an attacker would need access to the instance.

Then, when migrating to the new package format, I accidentally removed the markdown file so the vulnerability no longer existed, but neither did the persistent notifications work.

While adding back a sanitized version of the markdown parser, I realized that when the component was migrated to ES6 in #465 we forgot to call super.ready(), so the Polymer template never initialized. That too actually resolved the vulnerability 😉

This PR migrates to use Pagedown, the Markdown renderer used by StackExchange: https://github.com/StackExchange/pagedown . This renderer includes a sanitizer after which I was no longer able to reproduce the script injection attack supplied by Marcin.

As a bonus, when the script fails to load, we will render the message as a text content.

I think that we should take a closer look what we want to support in the persistent notification markdown. We might just want to limit it to links and maybe paragraphs? (That's for a future PR)

[andrey-git]

Are you deleting the previous md parser?

[balloob]

I accidentally already did. It was a file in www_static but I forgot to copy it over to this repo when consolidating

[robbiet480]

CVE-2017-16782