Automatically escape HTML
This creates a class marking a string as safe for usage in HTML.
It automatically escapes everything else in phutil_tag().
It should simplify the code by removing all phutil_escape_html() used in phutil_tag().
It should also prevent XSS because it would be impossible to forget about escaping.
It should also prevent double escaping as phutil_escape_html(phutil_escape_html($s)) is safe.
The downside of this approach is that id(new PhutilHTML($s)).id(new PhutilHTML($s)) is a string that is not marked as HTML.
That's the reason why I've added the array semantics to $content.
I didn't measure the performance impact but if it wouldn't be horrible then I think it's worth it.
Test Plan: Loaded Phabricator homepage.
Reviewers: epriestley, btrahan
Reviewed By: epriestley
CC: aran, Korvin
Maniphest Tasks: T139
Differential Revision: https://secure.phabricator.com/D4499