Fix tag name filtering that could result in XSS

[duvduvfb]

gumbo_tag_from_original_text currently uses isspace to detect illegal whitespaces in tag names.

isspace will match on \v and \r, which are not illegal according to the spec (https://html.spec.whatwg.org/multipage/syntax.html#tag-name-state).

This can result in an XSS that will not be possible in a standard-compliant parser: In the current implementation, gumbo_tag_from_original_text will return <script> on the unknown element <script\v> (or <script\rnotreallyscript>).

Serializers relaying on gumbo_tag_from_original_text (such as prettyprint) will transform non-executable <script\v> tags to executable <script> tags.

This diff applies the whitelist in the spec to gumbo_tag_from_original_text and adds unit-tests for this scenario.

[googlebot]

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed, please reply here (e.g. I signed it!) and we'll verify. Thanks.

---

• If you've already signed a CLA, it's possible we don't have your GitHub username or you're using a different email address. Check your existing CLA data and verify that your email is set on your git commits.
• If you signed the CLA as a corporation, please let us know the company's name.

[duvduvfb]

Legal issues with CLA - can't sign it :(