Escape Djot-significant characters when converting HTML text to Djot

[dereuromark]

Problem

HtmlToDjot emitted text-node content verbatim (only normalizing whitespace). When the HTML originates outside Djot - WYSIWYG editors, CMS exports, pasted content, web scraping, the documented primary use case - that text routinely contains characters that are Djot markup. On the next parse they are re-interpreted as markup and the document silently changes meaning.

Concrete round-trips that were broken (HTML -> Djot -> HTML):

<p>a *b* c</p>          ->  a *b* c          ->  <p>a <strong>b</strong> c</p>
<p>- not a list</p>     ->  - not a list     ->  <ul><li>not a list</li></ul>
<p>see [t](u) below</p> ->  see [t](u) below ->  <p>see <a href="u">t</a> below</p>
<p>a \ b</p>            ->  a \ b            ->  <p>a &nbsp;b</p>

A paragraph turning into a list or an emphasis appearing out of nowhere is a correctness bug, not cosmetic normalization.

Fix

Escape Djot-significant characters when emitting HTML text as Djot, in escapeDjotText():

• Inline markers escaped anywhere: \ ` * [ { ~ ^ <. These can open inline constructs (emphasis, code, links/spans, sub/superscript, autolinks, escapes).
• Block markers escaped only at line start (first inline child of a flush-left block container): leading - + # > and ordered-list markers 1. / 1). This is what keeps a paragraph from becoming a list, heading or blockquote. A leading dash run also no longer becomes a thematic break.
• Intraword underscore is left alone: snake_case, SCREAMING_CASE, file_name stay literal. Djot only treats _ as emphasis at word boundaries, so escaping intraword _ is unnecessary noise - and import output is full of identifiers, filenames and URLs. Asterisks get no exemption (Djot emphasis works intraword); ~/^ get none either (H~2~O is a real subscript).
• Link labels no longer double-escape. processLink built its label from already-escaped child text and then ran the label escaper again, doubling backslashes. It now only escapes the label-closing ] on child-derived text; a raw href used as the label still gets full escaping.

Verbatim contexts are untouched: text inside <pre>/code blocks is never escaped.

Scope and non-goals

• Typographic normalization that does not change structure is intentionally kept, matching existing behavior: smart quotes, and --/--- becoming en/em dashes. A leading dash run is still prevented from becoming a thematic break (the structural risk); only the inner dashes get smart-punctuation, exactly like smart quotes.
• This is escape-on-emit, independent of round-trip mode. It fixes external-origin HTML, which previously had no protection. Djot-origin round-trips already preserved author escapes via the round-trip data attributes and are unaffected.

Examples after the fix

<p>a *b* c</p>            ->  a \*b\* c          ->  <p>a *b* c</p>
<p>- not a list</p>       ->  \- not a list      ->  <p>- not a list</p>
<p>use snake_case</p>     ->  use snake_case     ->  <p>use snake_case</p>
<p><em>real</em> text</p> ->  _real_ text        ->  <p><em>real</em> text</p>

[codecov]

Codecov Report

❌ Patch coverage is 92.30769% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 91.80%. Comparing base (eceebcd) to head (f740f56).

Files with missing lines	Patch %	Lines
src/Converter/HtmlToDjot.php	92.30%	3 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##             master     #202      +/-   ##
============================================
+ Coverage     91.78%   91.80%   +0.01%     
- Complexity     3441     3452      +11     
============================================
  Files           104      104              
  Lines          9753     9788      +35     
============================================
+ Hits           8952     8986      +34     
- Misses          801      802       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.