[IMP] runtime: add markup tag function

[oomsveta]

Allows markup to be called as a tag function. The interpolated strings are then safely escaped for injection in HTML code.

Example usage:

const maliciousInput = "<script>alert('💥💥')</script>";
const value = markup`<b>${maliciousInput}</b>`;
// no problem, maliciousInput is properly escaped

[kebeclibre]

let's see what @jum-odoo thinks.

[seb-odoo]

markup-aware escape should be exported so we can use it in Odoo in place of htmlEscape that serves the exact same purpose.

See odoo/odoo#199300 for a proof of concept in Odoo of this PR.

[seb-odoo]

Thank you for accepting it, it is a nice improvement!
This will remove the need of overriding the ci/security in many cases by having safer code by default.

I still wish htmlEscape was exported from here rather than having to re-define exactly the same function in Odoo though. I guess I can make a PR for it now that this one is merged.

[ged-odoo]

we need to do something about markup and eventbus at least. Ideally, it should be accessible in some parts of odoo without the need for owl, for example, the website. there is a task for that though https://www.odoo.com/odoo/project/133/tasks/4364029?debug=assets

[seb-odoo]

Should we start re-exporting markup in html.js utils (from odoo) and use this import in business code rather than the one from owl then?

[seb-odoo]

Export of the escape function + tests: #1677

I still think it has value until a proper solution to the above-mentioned task is found.

Feel free to discard the PR, as we already have this function inside Odoo, it's not really "blocking".

[seb-odoo]

And a final request on this matter, would it be possible to make a release with the current PR (and the escape one, if it is approved) one of these days? 🙏

I'd love to start using the new syntax in Odoo whenever possible! We do have quite a few markup-sensitive PR in the way (especially the composer one), and I'd like to rebase and finish odoo/odoo#199300 too.