Fix innerHTML XSS vulnerability

[csculley]

Closes #255

This PR fixes the XSS vulnerability issues associated with using innerHTML.

Please let me know if anything needs to be changed. Thank you!

[thexeos]

This is a breaking change, so a major version bump and upgrade notes would be needed in readme.

[csculley]

Should we start a new CHANGELOG.md file in the root of the repository? Otherwise, I can add an upgrade notes section to the changelog if you'd like!

[thexeos]

Should we start a new CHANGELOG.md file in the root of the repository? Otherwise, I can add an upgrade notes section to the changelog if you'd like!

I like the README approach. It also means that people that visit npm page would see the important upgrade instructions.

[csculley]

This should be ready to review again! Please let me know if there's anything that should be changed for better code quality or styling. Thank you!

[csculley]

Alright, I'm feeling good about this one 😄

[thexeos]

Looks good to me.

In summary:

• Existing Delta documents will loose their rendered HTML in value, but that is expected, as it may be currently polluted with XSS.
• New Delta documents will only ever store String (plain text) in value - the documentation reflects it.
• HTML rendering is still supported through the use of custom blots, that extend the default MentionBlot. They must implement a render method that returns an Element. Functionality of rendering HTML is maintained.
• Furthermore, the use of custom blot name means that mention objects with custom data payload will be explicitly handled by the custom blot, rather than the default one.
• I could not find any new XSS vectors (except for the end user introducing one in their render method).

Good work!

[MadSpindel]

Excellent job @csculley! I've now published version 4.0.0 to npm.

[csculley]

Thank you so much!!