content: HTML escaping at render boundary (String>>htmlEscaped) + 8 tests (238/238)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

lib/content/tests/render.sx

@@ -1,5 +1,5 @@
 ;; Phase 1 — render boundary. asHTML / asSx are polymorphic message sends on
-;; blocks and the document.
+;; blocks and the document. HTML escaping happens at the boundary.
 
 (st-bootstrap-classes!)
 (content-bootstrap-blocks!)
@@ -71,3 +71,41 @@
   "render after delete"
   (asHTML (doc-delete d "p"))
   "<h2>Title</h2><hr>")
+
+;; ── HTML escaping at the boundary ──
+(define xh (mk-heading "xh" 2 "A < B & \"C\""))
+(define xp (mk-text "xp" "<script>alert(1)</script>"))
+(define xi (mk-image "xi" "/a.png?x=1&y=2" "tag <b>"))
+(define xl (mk-list "xl" false (list "a<1" "b&2")))
+(content-test
+  "escape heading text"
+  (asHTML xh)
+  "<h2>A &lt; B &amp; &quot;C&quot;</h2>")
+(content-test
+  "escape paragraph"
+  (asHTML xp)
+  "<p>&lt;script&gt;alert(1)&lt;/script&gt;</p>")
+(content-test
+  "escape image attrs"
+  (asHTML xi)
+  "<img src=\"/a.png?x=1&amp;y=2\" alt=\"tag &lt;b&gt;\">")
+(content-test
+  "escape list items"
+  (asHTML xl)
+  "<ul><li>a&lt;1</li><li>b&amp;2</li></ul>")
+(content-test
+  "escape ampersand once"
+  (asHTML (mk-text "amp" "a & b"))
+  "<p>a &amp; b</p>")
+(content-test
+  "escape in document"
+  (asHTML (doc-append (doc-empty "e") xp))
+  "<p>&lt;script&gt;alert(1)&lt;/script&gt;</p>")
+(content-test
+  "no over-escape plain"
+  (asHTML (mk-text "plain" "hello world"))
+  "<p>hello world</p>")
+(content-test
+  "escape code body"
+  (asHTML (mk-code "xc" "html" "<div> & </div>"))
+  "<pre><code class=\"language-html\">&lt;div&gt; &amp; &lt;/div&gt;</code></pre>")