Use of cgi.escape is deprecated in Python 3.2+

[ericwb]

Describe the bug
Bandit's html formatter still uses cgi.escape(), but according to Python's 3.x documentation, this function is deprecated because the function is unsafe because quote is false by default. It recommends using html.escape instead.

https://docs.python.org/3.5/library/cgi.html

To Reproduce
N/A

Expected behavior
N/A

Bandit version

1.4.0

Additional context
N/A