URLs should be escaped

[fregante]

URLs may contain HTML-looking parts, such as &amp, which browsers friendly turn to & in code.

Live example: https://runkit.com/embed/jxchw34aqffr (RunKit nicely shows the rendered HTML as well)

The value should always be escaped; the href attribute doesn't seem to be as smart with entities (& is converted to & but &amp isn't) so probably it doesn't need to be escaped.

[fregante]

Perhaps this can be handled by create-html-element: https://github.com/sindresorhus/create-html-element/issues/2