html/template: reenable testcases and fix mis-escaped sequences.

Tighter octal parsing broke some tests and were disabled in
https://golang.org/cl/5530051

Those tests were broken.  The CSS decoder was supposed to see CSS
hex escape sequences of the form '\' <hex>+, but those escape
sequences were instead being consumed by the template parser.

This change properly escapes those escape sequences, and uses
proper escaping for NULs.

R=golang-dev, rsc, nigeltao
CC=golang-dev
https://golang.org/cl/5529073

src/pkg/html/template/escape_test.go

@@ -300,23 +300,21 @@ func TestEscape(t *testing.T) {
 			`<p style="color: {{"#8ff"}}; background: {{"#000"}}">`,
 			`<p style="color: #8ff; background: #000">`,
 		},
-		// This test is broken by the fix to issue 2658.
-		// {
-		// 	"styleObfuscatedExpressionBlocked",
-		// 	`<p style="width: {{"  e\78preS\0Sio/**/n(alert(1337))"}}">`,
-		// 	`<p style="width: ZgotmplZ">`,
-		// },
+		{
+			"styleObfuscatedExpressionBlocked",
+			`<p style="width: {{"  e\\78preS\x00Sio/**/n(alert(1337))"}}">`,
+			`<p style="width: ZgotmplZ">`,
+		},
 		{
 			"styleMozBindingBlocked",
 			`<p style="{{"-moz-binding(alert(1337))"}}: ...">`,
 			`<p style="ZgotmplZ: ...">`,
 		},
-		// This test is broken by the fix to issue 2658.
-		// {
-		// 	"styleObfuscatedMozBindingBlocked",
-		// 	`<p style="{{"  -mo\7a-B\0I/**/nding(alert(1337))"}}: ...">`,
-		// 	`<p style="ZgotmplZ: ...">`,
-		// },
+		{
+			"styleObfuscatedMozBindingBlocked",
+			`<p style="{{"  -mo\\7a-B\x00I/**/nding(alert(1337))"}}: ...">`,
+			`<p style="ZgotmplZ: ...">`,
+		},
 		{
 			"styleFontNameString",
 			`<p style='font-family: "{{"Times New Roman"}}"'>`,