Render message templates with escaping

[y-a-t-s]

Right now, it looks like we're rendering any HTML content in chat messages passed through JSON from the Userscript. This is handy for rendering emote <img> tags, but it opens the user up to rendering any HTML that wasn't already escaped by the streaming service before sending it down the socket/EventSource/etc. to the Userscript.

The |safe in this line is the culprit: https://github.com/jaw-sh/stream-nexus/blob/a5a9e5b2c1fe0f43799473268f290952f56e67f1/templates/message.html#L23

The first solution that comes to mind is picking out any emote images and rendering them in their own template blocks. Something like {{ msg_text_part_a }} {{ emote_img }} {{ msg_text_part_b}. Splitting the messages into chunks like that can easily be handled by for loops in the message template.

[jaw-sh]

That's deliberate because I expected the chat messages for the chats to actually be safe, but it appears that Odysee accepts unsafe input, stores it as unsafe, and then it's the job of the Odysee client to actually remove dangerous elements. I think we can do that for some stuff, but I will also set Rust to render pages with CSP so nothing dangerous can happen regardless.