Use better escape filters

[vincerubinetti]

#274 incorporates xml_escape in a bunch of places, which at least stops special characters from breaking HTML parsing. But we can make it better by using cgi_escape, uri_escape, strip_html, or a custom regex to strip whatever characters are appropriate for the context.

Examples:

• alt or aria-label attributes should ideally remove all special characters, so that they're not announced by screen readers. xml_escape will leave behind HTML entities which are annoying to hear on a screen reader.
• href and src attributes and CSS url() should probably use uri_escape.