reduce direct html injection, add escaping where necessary

[tyrasd]

fixes #8813 by:

• partially reverting 32f8274 (Add lang attribute to translated text #7998) so that html is only used when necessary and safe.
  • this is now almost exclusively the case when html comes from an internal source like t.html(…).
• t.html now escapes all replacement strings, except when they are explicitly marked as html code.
• replacing many unnecessary calls to d3_selection.html with a new method that directly and safely appends the localized text to the dom: ~selection.html(t.html("…")) → selection.call(t.append("…"))
• adding a missing encodeURIComponent thanks @1ec5
• use a more precise "language code" for the no-language-code specified case (unrelated to the fix, but also included because it touches the same code), thanks @1ec5

todo:

• add to changelog
• add unit tests for new t.append method

[1ec5]

Thanks for making these extensive changes. I haven’t gotten a chance to look through the whole PR, but here’s a couple things that I noticed at a glance.

[1ec5]

The changes look good as far as I can tell.

[tyrasd]

Quick update on this issue: I do now consider (almost?) all usages of d3's .html(…) and thus also all usages of t.html as problematic code. Instead, all text should have been inserted using d3 natively (see the new t.htmlDom method). I'm starting to rewrite all affected portions of the code. Most "regular" calls to t.html should already be refactored. I don't yet have an implementation which works for the nested localized spans and there are a few places where the .html injection was used "creatively", which I will still have to look at.

I noticed that there are some glitches in various parts of the UI at the moment:

• walkthrough
• help menu
• issues/validation menu(??)
• turn restrictions field
• global search results

---

//edit: here's an example of a further html injection vector: via OSM tags 🙈

[tyrasd]

The UI glitches seem to be resolved now. Only a few small todos are now left (see top comment).

There's quite a bit more t.html I really would like to remove from the code base eventually, but they require deeper refactoring and don't seem to be obvious XSS / HTML injection vectors or AFAICS.