Disallow <! in <script>
Summary:
HTML5 has this crazy script escaping states:
- Script data escaped dash dash state
- Script data double escaped state
https://communities.coverity.com/blogs/security/2012/11/16/did-i-do-that-html-5-js-escapers-3
Perhaps <! is too aggressive but I didn't spend much time searching for a more fine grained expression.
Test Plan: Searched for renderInlineScript().
Reviewers: epriestley
Reviewed By: epriestley
CC: Korvin, epriestley, aran
Differential Revision: https://secure.phabricator.com/D7329