FIX: escape youtube title when constructing onebox preview html (#16999)

lib/onebox/engine/youtube_onebox.rb

@@ -42,7 +42,7 @@ module Onebox
           result = parse_embed_response
           result ||= get_opengraph.data
 
-          "<img src='#{result[:image]}' width='#{WIDTH}' height='#{HEIGHT}' title='#{result[:title]}'>"
+          "<img src='#{result[:image]}' width='#{WIDTH}' height='#{HEIGHT}' title='#{CGI::escapeHTML(result[:title])}'>"
         else
           to_html
         end

spec/lib/oneboxer_spec.rb

@@ -384,7 +384,7 @@ describe Oneboxer do
       <<~HTML
         <html>
         <head>
-          <meta property="og:title" content="Onebox1">
+          <meta property="og:title" content="Onebox1 - ceci n'est pas un titre">
           <meta property="og:description" content="this is bodycontent">
           <meta property="og:image" content="https://i.ytimg.com/vi/dQw4w9WgXcQ/maxresdefault.jpg">
         </head>
@@ -416,6 +416,11 @@ describe Oneboxer do
       output = Oneboxer.onebox("https://www.youtube.com/watch?v=dQw4w9WgXcQ", invalidate_oneboxes: true)
       expect(output).to include("<iframe") # Regular youtube onebox
     end
+
+    it "appropriately escapes youtube titles" do
+      preview = Oneboxer.preview("https://www.youtube.com/watch?v=dQw4w9WgXcQ", invalidate_oneboxes: true)
+      expect(preview).to include("ceci n'est pas un titre")
+    end
   end
 
   it "allows iframes from generic sites via the allowed_iframes setting" do