FIX: Allow sanitized-HTML in GH issues and categories oneboxes. (#25374)

Follow-up to d78357917c

Related meta topic: https://meta.discourse.org/t/html-is-not-render-on-category-onebox-description/289424:

lib/onebox/engine/github_issue_onebox.rb

@@ -40,7 +40,10 @@ module Onebox
         body, excerpt = compute_body(raw["body"])
         ulink = URI(link)
 
-        labels = raw["labels"].map { |l| { name: Emoji.codes_to_img(CGI.escapeHTML(l["name"])) } }
+        labels =
+          raw["labels"].map do |l|
+            { name: Emoji.codes_to_img(Onebox::Helpers.sanitize(l["name"])) }
+          end
 
         {
           link: @url,

lib/onebox/templates/discourse_category_onebox.mustache

@@ -12,7 +12,7 @@
     {{#description}}
       <div>
         <span class="description">
-          <p>{{description}}</p>
+          <p>{{{description}}}</p>
         </span>
       </div>
     {{/description}}

lib/oneboxer.rb

@@ -486,7 +486,7 @@ module Oneboxer
         name: category.name,
         color: category.color,
         logo_url: category.uploaded_logo&.url,
-        description: category.description,
+        description: Onebox::Helpers.sanitize(category.description),
         has_subcategories: category.subcategories.present?,
         subcategories:
           category.subcategories.collect { |sc| { name: sc.name, color: sc.color, url: sc.url } },