Extensions: escape HTML entities in default values

This prevents generation of invalid XML due to characters like '<' or
'>' in fields' default values. Unfortunately the value comes back in its
escaped form, so there's still more work to be done.

package.json

@@ -31,6 +31,7 @@
     "babel-loader": "^7.0.0",
     "babel-preset-es2015": "^6.24.1",
     "copy-webpack-plugin": "4.0.1",
+    "escape-html": "1.0.3",
     "eslint": "^4.5.0",
     "eslint-config-scratch": "^4.0.0",
     "expose-loader": "0.7.3",

src/engine/runtime.js

@@ -1,5 +1,6 @@
 const EventEmitter = require('events');
 const {OrderedMap} = require('immutable');
+const escapeHtml = require('escape-html');
 
 const ArgumentType = require('../extension-support/argument-type');
 const Blocks = require('./blocks');
@@ -457,7 +458,9 @@ class Runtime extends EventEmitter {
 
             const argInfo = blockInfo.arguments[placeholder] || {};
             const argTypeInfo = ArgumentTypeMap[argInfo.type] || {};
-            const defaultValue = (typeof argInfo.defaultValue === 'undefined' ? '' : argInfo.defaultValue.toString());
+            const defaultValue = (typeof argInfo.defaultValue === 'undefined' ?
+                '' :
+                escapeHtml(argInfo.defaultValue.toString()));
 
             // <value> is the ScratchBlocks name for a block input.
             // The <shadow> is a placeholder for a reporter and is visible when there's no reporter in this input.