strips tags from the replacement variables custom fields

[vraja-pro]

Context

Summary

This PR can be summarized in the following changelog entry:

• Improves the general security of the plugin via sanitization and escaping.

Relevant technical choices:

Test instructions

Test instructions for the acceptance test before the PR gets merged

This PR can be acceptance tested by following these steps:

• Log in to the WordPress dashboard with Contributor privileges.
• Create new post, press 3 dots -> Preferences -> Advanced and enable "Custom Fields"
• Create a custom field named xss_payload and set its value to </script><script>alert(document.domain)</script>
• Switch to Code Editor and inject the following code:

<!-- wp:paragraph {"yoast-schema":{"@type":"Organization","name":"%%cf_xss_payload%%"}} --> <p>Validation Bypass Content</p> <!-- /wp:paragraph -->

• Send the post for a review
• Preview the post and check yu don't get any alert.
• The moment an administrator views the post for review, the JS payload should not executes, no alert.

Relevant test scenarios

• Changes should be tested with the browser console open
• Changes should be tested on different posts/pages/taxonomies/custom post types/custom taxonomies
• Changes should be tested on different editors (Default Block/Gutenberg/Classic/Elementor/other)
• Changes should be tested on different browsers
• Changes should be tested on multisite

Test instructions for QA when the code is in the RC

• QA should use the same steps as above.

QA can test this PR by following these steps:

Impact check

This PR affects the following parts of the plugin, which may require extra testing:

Other environments

• This PR also affects Shopify. I have added a changelog entry starting with [shopify-seo], added test instructions for Shopify and attached the Shopify label to this PR.
• This PR also affects Yoast SEO for Google Docs. I have added a changelog entry starting with [yoast-doc-extension], added test instructions for Yoast SEO for Google Docs and attached the Google Docs Add-on label to this PR.

Documentation

• I have written documentation for this change. For example, comments in the Relevant technical choices, comments in the code, documentation on Confluence / shared Google Drive / Yoast developer portal, or other.

Quality assurance

• I have tested this code to the best of my abilities.
• During testing, I had activated all plugins that Yoast SEO provides integrations for.
• I have added unit tests to verify the code works as intended.
• If any part of the code is behind a feature flag, my test instructions also cover cases where the feature flag is switched off.
• I have written this PR in accordance with my team's definition of done.
• I have checked that the base branch is correctly set.
• I have run grunt build:images and commited the results, if my PR introduces new images or SVGs.

Innovation

• No innovation project is applicable for this PR.
• This PR falls under an innovation project. I have attached the innovation label.
• I have added my hours to the WBSO document.

Fixes https://github.com/Yoast/reserved-tasks/issues/1020

[thijsoo]

CR + ACC 👍