XSS / HTML / script injection protection

[0gust1]

In https://github.com/benallfree/mdsvex-enhanced-images there is some protection in place to escape html characters from the gathered alt attribute.

Even if the attack surface seems quite small (the alt attribute is considered "safe" in Owasp docs), it's a good idea to implement the same (and / or merge the projects): one will never know all the contextual use of this plugin, and in some cases (let's say, an app which accepts user-submitted content without moderation or verification) it could leave some opportunities for evil work.

It also should be noted that as we handle mdsvex files (which can contain code), it's, by design, less secure than more rigid user-contributed content systems.

refs:

• https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
• https://security.stackexchange.com/questions/57504/is-cross-site-scripting-possible-with-the-img-alt-attribute