XSS: escape < and > characters in written out XHR response

[matthewp]

This escapes < and > to prevent XHR responses from containing script injections.

[phillipskevin]

I don't know that it's actually a problem that we could have due to how the XHR_CACHE is written out, but I think we may also want to escape &. That's what they mention here: https://www.w3.org/International/questions/qa-escapes#use.

[matthewp]

This is what Google's Java JSON serializes escapes: https://github.com/google/gson/blob/0636635cbffa08157bdbd558b1212e4d806474eb/gson/src/main/java/com/google/gson/stream/JsonWriter.java#L157-L161

Maybe we should just do all of those. I'll update.

[matthewp]

@phillipskevin I added 35265c454cb452ea1837fd6fc6995d525f41e97e which escapes more stuff.