Ensure we escape sequences of different entities

In a naive, multi-pass entity replacement (eg, replace all `&` with
`&amp;`, replace all `<` with `&lt;`) the replacement order is
important. (You must replace `&` with `&amp;` first, lest you replace
`<` with `&lt;` then replace `&lt;` with `&amp;lt;`.)

The `escapeHTML` function is a single-pass replacement of each entity at
a time, so is not vulnerable to such a failure mode, but add a test to
avoid regressions.

test/dashboard.ts

@@ -19,6 +19,11 @@ describe("dashboard", async () => {
                             status: TestStatus.Fail,
                             name: "another name escaped 'properly'", // single quotes require escaping
                             description: "another description escaped & properly", // ampersand requires escaping
+                        },
+                        {
+                            status: TestStatus.Fail,
+                            name: "entities ' are & escaped < in > proper & order",
+                            description: "order is important in a multi-pass replacement",
                         }
                     ]
                 }
@@ -29,6 +34,7 @@ describe("dashboard", async () => {
         expect(actual).contains("description escaped &quot;properly&quot;")
         expect(actual).contains("another name escaped &apos;properly&apos;")
         expect(actual).contains("another description escaped &amp; properly")
+        expect(actual).contains("entities &apos; are &amp; escaped &lt; in &gt; proper &amp; order")
     })
 
     it("uses <no name> for test cases without name", async () => {