added content escaping for text nodes

[whisk]

Description

Text() now escapes HTML5 special characters for safe rendering. Raw() is still available if you need to render code without escaping HTML5 elements — for example, if you need non-standard tags.

Technically, only & and < need to be escaped, not >. I still escape > for consistency and the resulting code passes the validator.

Some context

I accidentally ran into the problem that elements were not escaped in Text() and learned that there was no difference between Text and Raw nodes.

[chasefleming]

Same comment as here: #159 (comment)

[Copilot]

Pull Request Overview

This PR ensures that Text() nodes escape HTML5 special characters by introducing a new escaping utility and updating rendering methods, while preserving Raw() for unescaped content.

• Added EscapeNodeContents in utils.go to replace &, <, and > with their HTML entities.
• Updated all TextNode rendering methods to call EscapeNodeContents.
• Added unit tests in elements_test.go to verify the escaping behavior for various characters.

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File	Description
utils.go	New EscapeNodeContents function and strings import
elements.go	Updated Text doc comment; render methods use escaping
elements_test.go	New tests for basic and HTML-escaped Text rendering

Comments suppressed due to low confidence (1)

elements_test.go:692

• Add a test case to verify that '&' characters are properly escaped to '&' in Text rendering, for example:

func TestTextWithAmpersandEscaping(t *testing.T) {
    expected := `<p>A &amp; B</p>`
    el := P(nil, Text("A & B"))
    assert.Equal(t, expected, el.Render())
}

}

[chasefleming]

Thanks for adding this!