HtmlPolicy to forbid inline event handlers

[kelunik]

Most projects should have a strict content security policy and should be using it without unsafe-inline to be effective, so on* attributes should mostly be forbidden instead of being special treated in gg.jte.html.OwaspHtmlTemplateOutput's writeTagAttributeUserContent.

[casid]

@kelunik I've added a policy for this.

Right now it is not part of the default OwaspHtmlPolicy. As we don't know if/how users have set up a strict csp I'd suggest to leave the default as is. Advanced users can then add additional policies to fit their need.

What do you think?