Prevent HTML and JS injection in section names

Before this change, HTML and some JS code (as far as it was not escaped
by json_encode) could be injected into the output as the closing pattern
that i

Prevent HTML and JS injection in section names

Before this change, HTML and some JS code (as far as it was not escaped
by json_encode) could be injected into the output as the closing pattern
that is checked by the regex is not escaped in JSON (see test case).

show more ...

Refactored section edit

The data for the section edit button is now passed as an assoziative array which is
encoded in the '#<!-- EDIT(.*) -->#' placeholder as an JSON array.

test: add tests for the section edit regex