fix(a11y-status): escape HTML in statuses

[rgajrawala]

What/Why:
Potential XSS attack in generation of a11y status messages. Need to escape input before rendering those.

How:
Escape input by building the a11y status div using DOM API and fill in status message using textContent, which automatically escapes text (wanted to use innerText but it's not supported in Enzyme tests).

When using the DOM API, previous children will need to removed manually. I opted for using a loop and Node.removeChild over Node.innerHTML = '' because the former is more performant.

Checklist:

• Documentation N/A
• Tests
• Ready to be merged>
• Added myself to contributors table

[codecov-io]

Codecov Report

Merging #231 into master will not change coverage.
The diff coverage is 100%.

@@          Coverage Diff          @@
##           master   #231   +/-   ##
=====================================
  Coverage     100%   100%           
=====================================
  Files           4      4           
  Lines         271    277    +6     
  Branches       63     63           
=====================================
+ Hits          271    277    +6

Impacted Files	Coverage Δ
src/set-a11y-status.js	100% <100%> (ø)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 1385fc9...df3245d. Read the comment docs.

[kentcdodds]

Thank you so much for this! Very helpful 👍

[kentcdodds]

This has been released. Everyone should upgrade to downshift@1.13.1 as soon as possible.