HTML formatter passes '<' symbol and tags unescaped #15
Description
:html formatter passes < symbols as is to resulting html, which may result in XSS vulnerability.
[2] pry(main)> Differ.diff_by_line("foo", "<script>alert(1)</script>").format_as(:html)
=> "<del class=\"differ\"><script>alert(1)</script></del><ins class=\"differ\">foo</ins>"
As Differ operates on strings, not HTML fragments, IMHO, it should escape chunks of these strings in resulting html.
Using differ 0.1.2.