WIP: fix(toast): sanitize auto wrapped custom toast templates

[Splaktar]

PR Checklist

Please check that your PR fulfills the following requirements:

• The commit message follows our guidelines
• Tests for the changes have been added or this is not a bug fix / enhancement
• Docs have been added, updated, or were not required

PR Type

What kind of change does this PR introduce?

[x] Bugfix
[ ] Enhancement
[ ] Documentation content changes
[ ] Code style update (formatting, local variables)
[ ] Refactoring (no functional changes, no api changes)
[ ] Build related changes
[ ] CI related changes
[ ] Infrastructure changes
[ ] Other... Please describe:

What is the current behavior?

There was an issue filed in g3 about using innerHTML here in md-toast for custom toasts.

Issue Number:
Related to #6494. Related to #6259.

What is the new behavior?

Protect against a possible XSS vector by sanitizing all elements inside of the template's outer <md-toast><sanitize everything here></md-toast> element. This could be multiple DOM elements, comments, etc.

Does this PR introduce a breaking change?

[x] Yes
[ ] No

This may require ngSanitize in some apps that previously didn't use it. In those cases, the apps would break with an $sce exception.

Other information

This uses a similar approach to md-select's approach to sanitizing text that can contain HTML.

[Splaktar]

@mmalerba there's another edge case here where a custom template may specify autoWrap = false. I tested and verified that a <script> could be injected here (but I wasn't able to get it to execute).

I just wanted to confirm that you thought it was worth while to go and try to trust the templates passed in here from $mdToast.simple() and $mdToast.showSimple().

[bersLucas]

Browser will (hopefully) stop injected stuff from being executed, but adding stuff like <img src="/" onerror = "alert(1);"/> will inject and execute