Use javascript string escaping in Polymer.html

[dfreedm]

There's a lot of pitfalls

Fixes #5060

[TimvdLippe]

LGTM. Lets see what @justinfagnani thinks as well.

[kevinpschaaf]

LGTM

[kevinpschaaf]

Went over the tradeoffs with a few people in the bullpen. There are a few considerations.

Pros for using raw:

• Can mostly use HTML escaping rules, not JS escaping rules (e.g., you can safely write e.g. <div>Are you happy (yes\no)?</div> in the HTML without escaping the \ since the \ means nothing special in HTML)

Cons for using raw:

• You can't get around needing to escape a couple of JS-specific characters in the HTML, even when using raw: e.g. ` and $ when preceeding a { still needs to be escaped when used in HTML to prevent closing the string or starting a part. For example, a common footgun would be <div>The price is ${{price}}</div>; the $ needs to be escaped to \${{price}} per JS rules.
• The \ required to escape the backtick and dollar signs per the above would need to be post-processed out of the raw text, since they still show up in the raw output, making the processing in the html tag function more complex
• Since most users are familiar with backticked-strings conforming to JS escaping rules, having mostly non-JS escaping rules, but needing to remember a couple of them just sounds confusing

[usergenic]

👏