Escape "<" and ">" when serializing attribute values

Avoid a class of XSS attacks where markup goes through a lossy parse-serialize-parse roundtrip and the original attribute value is parsed in the data state.

This reverts 4eeb8a1.

Fixes whatwg#6235.

Author: zcorpan

source

@@ -136053,14 +136053,15 @@ console.assert(container.firstChild instanceof SuperP);
    <li><p>Replace any occurrences of the U+00A0 NO-BREAK SPACE character by the string "<code
    data-x="">&amp;nbsp;</code>".</p></li>
 
-   <li><p>If the algorithm was invoked in the <i>attribute mode</i>, replace any occurrences of the
-   "<code data-x="">&quot;</code>" character by the string "<code
-   data-x="">&amp;quot;</code>".</p></li>
+   <li><p>Replace any occurrences of the "<code data-x="">&lt;</code>" character by the string
+   "<code data-x="">&amp;lt;</code>".</p></li>
+
+   <li><p>Replace any occurrences of the "<code data-x="">&gt;</code>" character by the string
+   "<code data-x="">&amp;gt;</code>".</p></li>
 
-   <li><p>If the algorithm was <em>not</em> invoked in the <i>attribute mode</i>, replace any
-   occurrences of the "<code data-x="">&lt;</code>" character by the string "<code
-   data-x="">&amp;lt;</code>", and any occurrences of the "<code data-x="">&gt;</code>" character by
-   the string "<code data-x="">&amp;gt;</code>".</p></li>
+   <li><p>If the algorithm was invoked in the <i>attribute mode</i>, then replace any occurrences of
+   the "<code data-x="">&quot;</code>" character by the string "<code
+   data-x="">&amp;quot;</code>".</p></li>
   </ol>