Don't permit < in html attribute positions
Although it's acceptable by the html5 tokenizing spec, the php parse's
Sanitizer::removeHTMLtags explodes on the character so it just can't be
found in any position there.
However, it's ok in extension tags since those get stripped first.
A test is added which clarifies the difference.