Do not strip html by default

[danmactough]

In older versions, we always stripped html-like substrings in certain elements to help users avoid inadvertently creating XSS vulnerabilities by reflecting the value of these elements without properly escaping them. We decided that wasn't particularly helpful because the simple sanitation we were performing didn't address all cases. It also did a poor job of sanitizing.

This removes that html stripping by default and adds the option strip_html to restore the old behavior.

Resolves #165, #243

[danmactough]

This will be a semver major change.

[danmactough]

closing this and cutting a v3.0.0-pre branch including this change