Escape attributes by default

[keithasaurus]

closes #7

• escape by default on attributes
• allow SafeString to override
• tests to verify escaping/overriding
• implement performance mitigation / optimization to avoid needing to escape for many (most?) attribute names
• updated docs
• remove mypyc github action step (compilation was failing because of these changes, but it's not being used anyway)

Thanks to @gcollazo for putting forth a good argument to doing this.

[gcollazo]

I would remove all of the on* event attributes from the safe list as they are all exploitable if unsanitized user input is used.

Reference: https://portswigger.net/web-security/cross-site-scripting/cheat-sheet

[gcollazo]

To better manage performance, consider having a default mode where everything is escaped (safe/slow) where one can opt out by using SafeString and a mode where nothing is escaped (unsafe/fast) where the user is responsible for escaping user input.

That will delegate the trade off decision to package consumers.

Reference: https://jinja.palletsprojects.com/en/3.1.x/templates/#html-escaping

[keithasaurus]

I would remove all of the on* event attributes from the safe list as they are all exploitable if unsanitized user input is used.

Perhaps the code is easy to misunderstand here. The only use of the safe keys lookup is for avoiding the escaping logic on the keys-only; and only if the keys exactly match. The result of escaping on those keys would produce no change, so it's ok to avoid if we know we can (and because a dict lookup is typically much faster than escaping in this case, it makes performance sense). The values are still be escaped.