escapeParameterHtml flag: Don't escape ampersand (&) symbol

[gardarh]

I recently pushed a PR that implemented the escapeParameterHtml flag. In using this flag I have noticed one undesired side effect: In some cases it's hard to avoid a "double-escape" scenario, i.e.:

<div text="$t('some_resource_with_foo_variable', {foo: 'a & b'}" />

Yields the following:

a & b

A mitigation would be to use v-html in the div tag but it feels like suggesting that would cause more harm than benefit. By not escaping the & symbol we we avoid this situation. This proposed change also converts this functionality into an idempotent one, i.e. the escape operation can be performed multiple times without producing multi-escaped output.

The negative security impact is minimal since a) we are already escaping the < and > symbols and b) this flag was introduced very recently and likely still has little usage.

[kazupon]

relesed v8.22.1