Strings should be escaped based on context

[xenomachina]

It would be safer if strings were escaped based on context. In particular:

• HTML escaping inside of most HTML elements

  i("1<2").render() shouldBe "<i>1&lt;2</i>"
  
  expected: "<i>1&lt;2</i>" but was: "<i>1<2</i>"
  

• Attribute escaping inside attribute values:

  img(src="\"&.png", alt="fred").render() shouldBe "<img src=\"&quot;&amp;.png\" alt=\"fred\">"
  
  expected: "<img src="&quot;&amp;.png" alt="fred">" but was: "<img src=""&.png" alt="fred">"
  

• The script and style elements are pretty weird, and would probably need special handling. HTML escaping inside of them makes no sense, but on the other hand, they cannot contain their respective end-tag verbatim. (I think the rules are actually even more strict than this. In Html 4.01, even "</" wasn't allowed in either. It looks like the same is true at least for script in HTML 5, I'm not sure about style.)

[xenomachina]

Regarding script and style elements, I found the relevant bits in the HTML 5 spec. These elements are called "raw text elements" in HTML 5. From the spec:

The text in raw text and escapable raw text elements must not contain any occurrences of the string "</" (U+003C LESS-THAN SIGN, U+002F SOLIDUS) followed by characters that case-insensitively match the tag name of the element followed by one of U+0009 CHARACTER TABULATION (tab), U+000A LINE FEED (LF), U+000C FORM FEED (FF), U+000D CARRIAGE RETURN (CR), U+0020 SPACE, U+003E GREATER-THAN SIGN (>), or U+002F SOLIDUS (/).