Escape HTML attribute values in SSR

[tav]

When generating code for SSR, the output of {{tag expressions}} isn't currently properly escaped within HTML attributes — leading to both security issues and unexpected behaviour when the content includes special characters.

From briefly looking at the source, it looks like the issue is with this line in stringifyAttributeValue:

return '${' + snippet + '}';

Which should perhaps be replaced within something like:

return '${__escapeAttr(' + snippet + ')}';

Where the __escapeAttr function replaces anything except the "safe" subset of the printable ASCII characters with the equivalent &#NN; HTML character reference.

This pull request implements the above, limiting the above to the "safe" characters of a-z, A-Z, 0-9, -, , and _.

Let me know if you'd like me to make any further changes, or if you'd rather reimplement it in a better way yourselves.

Thank you!

[Conduitry]

Thanks for finding this! As far as I can tell, the only things that need to be escaped in an attribute value though are things that would be handled by the existing __escape function. We definitely should be doing some escaping of the strings that appear in attributes, but can you think of anything that __escape wouldn't cover?

[tav]

I took a conservative approach of whitelisting as opposed to guessing at a blacklist. For example, IE treats the backtick ` as an attribute delimiter like " and '.

[Conduitry]

Closing in favor of #1155.