Add a couple of XSS tests.

Some more tests from Clint Ruoho. The main branch of Instiki (and, I guess,
the old sanitizer) are vulnerable.

Also: under Ruby 1.8.x, CGI.unescapeHTML screws up horribly decoding NCRs
which represent high-bit ASCII characters. UTF-8 agrees with 7-bit ASCII,
but CGI.unescapeHTML doesn't seem to know that they disagree for i>127.

lib/stringsupport.rb

@@ -2243,7 +2243,7 @@ class String
         end
       when /\A#x([0-9a-f]+)\z/ni then
         if $1.hex < 256
-          $1.hex.chr
+          [$1.hex].pack("U")
         else
           if $1.hex < 1114111
             [$1.hex].pack("U")