fix: introduce escape utility and use it to escape html attribute

[dominikg]

and body of injected data script block

possibly fixes #2530

full json escape is a proto implementation and tests fail locally for me. Unfortunately i wasn't able to tell if it's just bc fixtures need updating or there's an issue with the way it's encoded.

cc @Conduitry

Before submitting the PR, please make sure you do the following

• It's really useful if your PR references an issue where it is discussed ahead of time. In many cases, features are absent for a reason. For large changes, please create an RFC: https://github.com/sveltejs/rfcs
• This message body should clearly illustrate what problems it solves.
• Ideally, include a test that fails without this PR but passes with it.

Tests

• Run the tests with pnpm test and lint the project with pnpm lint and pnpm check

Changesets

• If your PR makes a change that should be noted in one or more packages' changelogs, generate a changeset by running pnpx changeset and following the prompts. All changesets should be patch until SvelteKit 1.0

[changeset-bot]

🦋 Changeset detected

Latest commit: 1ad6a12

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@sveltejs/kit	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[Conduitry]

Thanks! I've tidied a couple of function names, fixed the escaping of the selector on the other end where we retrieve the serialized endpoint response, and added a changeset. I'm going to watch the tests and then I think we're ready to go.

[Conduitry]

Oh, I should also say that I've pulled down the repro in #2530 and run it locally with this branch, and things seem to be working fine. The attribute value in the HTML gets escaped properly, and then it's successfully retrieved later with document.querySelector.