Fix html attribute escaping

[mrkishi]

Fixes #4014.

This just adds the missing & and removes superfluous <> from the html attribute escape dictionary.

<> are treated as raw characters inside a double-quoted attribute value. This means they can contain </script> and friends inside, but if we're already in rawtext mode (meaning, inside an open <script> or other greedy html tags), then we're already inside an xss vector and we'd have to escape every single character, as kill(everyone) would be a valid value.

Try it: <tag data-value="<script>alert('pwned')</script>"> is properly handled by browsers.

Please don't delete this checklist! Before submitting the PR, please make sure you do the following:

• It's really useful if your PR references an issue where it is discussed ahead of time. In many cases, features are absent for a reason. For large changes, please create an RFC: https://github.com/sveltejs/rfcs
• This message body should clearly illustrate what problems it solves.
• Ideally, include a test that fails without this PR but passes with it.

Tests

• Run the tests with pnpm test and lint the project with pnpm lint and pnpm check

Sorry but tests timeout at some point on this weak machine.

Changesets

• If your PR makes a change that should be noted in one or more packages' changelogs, generate a changeset by running pnpx changeset and following the prompts. All changesets should be patch until SvelteKit 1.0

[changeset-bot]

🦋 Changeset detected

Latest commit: 53982ad

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@sveltejs/kit	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[benmccann]

Why does & need to be encoded? OWASP suggests simply encoding " to " (should we use that rather than "?)

https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#rule-2-attribute-encode-before-inserting-untrusted-data-into-html-common-attributes

[mrkishi]

Why does & need to be encoded?

It's not exactly a security issue in this case. & won't break the surrounding quotes and enable a direct xss attack, however, it will change the value we'll get back from the dom.

const parent = document.body;
const text = 'hello "world"';
parent.insertAdjacentHTML('afterbegin', `<div data-string="${text}"></div>`);
if (parent.firstChild.dataset.string !== text) {
	throw new Error('oops! lost information');
}

should we use that rather than "?

I've no idea. I assume quot has a higher chance of being compressible, but newer compression algorithms like brotli are pre-primed with web-specific data, and both might be in there already!

[Conduitry]

This makes sense to me. Thank you!