Security fix for OSC URLs

If you had a malformed URL when using the OSC URL sequence, it would not be properly escaped.
Also, html escaping is now mandatory. The 'escape_for_html' property was removed.
As a result, we increased the MAJOR version to 5.