Escape entities in html() output

[jcushman]

Currently the .html() method does not escape the tag.text portion of the response:

In [1]: pq('<div>encoded &lt;script&gt; tag</div>').html()
Out[1]: 'encoded <script> tag'

This PR updates .html() to call the builtin html.escape() function on tag.text. We can set quote=False because we're escaping element text rather than attribute text.

Fixes #205 #218 #200 #178

[jcushman]

Addressing a question @gawel asked on #205, we don't need any additional escaping for the children, because that's handled by etree.tostring(). I made sure the new test covers that, though.

I also had to tweak the textarea test since calling.val(text) sets .text, so fetching that value now comes back escaped.

(I messed a little bit with changing how .val() and .text() work in general with textareas, to make it more like jQuery where angle brackets seem to be escaped separately from ampersands, but decided that was too invasive for this PR.)

[gawel]

Seems fine. Can you just add an entry to the changelog ? thanks

[jcushman]

Changelog updated.