Automatically escape certain HTML tags

[revin]

Here's a markdown-it plugin that will automatically escape <iframe>, <script>, <style>, <textarea>, and <title> tags in embedded HTML blocks, the way GH does.

fixes #363

[revin]

Currently a WIP; needs to have a few questions answered:

• Our tests explicitly check that <script> is allowed when we're executed with sanitize: false. Nothing magic about <script> in particular; it's just an example of something that would be normally stripped out by the sanitizer. So I'm thinking maybe since turning the sanitizer off is, in a way, opting out of 100% strict GH compat, what about skipping this HTML escaping process in the case of sanitize: false?
• The sanitizer is configured to strip iframes unless they're pointing to youtube URLs. IIRC we still need that capability because the npm docs have embedded YT vids. Is that still the case? It looks like GH compat is to always escape <iframe> tags in HTML blocks no matter what the src points to. Should we implement the GH version, and allow for the {YT-only, unescaped} version via some combination of options?