saner escaping/unescaping of @ and # sigils

[Conduitry]

I say [WIP] but this should be pretty much done.

This changes the escaping of @ and # sigils to not use a prepended \ (which gets further escaped by JSON.stringify, and complicates the unescaping) and instead just increases by 1 any runs of @ or runs of #.

There are still a couple of gotchas:

• at the point where we're escaping injected CSS, we only want to escape @, because there is no further # unescaping that happens on that string after that point. There's probably a more elegant solution than what I have. Maybe still use stringify but then immediately unescape the # ones?
• the hash that maps characters to their HTML escaped versions in the SSR generated code contains ' as the replacement for ', which we have to now represent as &##39;. Not really a huge deal - kind of amusing more than anything.

This PR does fix the second issue I was seeing, where @s were being dropped from strings passed as attributes to nested components when compiled in SSR mode.

All existing tests pass, but some more tests should be written.

[Conduitry]

Put in what's hopefully a less ugly solution for the proper CSS escaping. Also realized that same alternate escaping should be used on sharedPath, because that's only going to have @s unescaped afterwards. Added a test for what I was seeing fail before. And removed the [WIP]!

[Conduitry]

One more fix, actually. We don't want to escape @ or # in sharedPath at all, because that doesn't run through even the @-unescaping afterwards. This is an issue on master, currently (shared: 'very@contrived#path' results in import { ... } from "very\\@contrived\\#path";) - but I don't see how to test this. Even the tests in test/js/samples have hardcoded compiler options of { shared: true }.

[Rich-Harris]

Thanks so much for taking this on! I have a curious blind spot for this stuff, as you've no doubt noticed 🙈