fix: escape HTML special characters in build.sh to prevent HTML injection

[pranitaurlam]

Summary

• Adds html_escape() function to sanitize &, <, >, and " characters before interpolating git-derived data into public/index.html
• Applies escaping to $GITTAG, $TAGTITLE, and $GITDATE used in HTML table rows
• Fixes unquoted echo $HTML → echo "$HTML" to prevent word splitting

Closes #1220 in graphql/graphql-spec

Test plan

• Verify build.sh runs successfully on current repo
• Verify that a git tag containing <script> would be escaped to <script> in the output HTML
• Verify that a commit date with & would be rendered as & in the output HTML

🤖 Generated with Claude Code

[netlify]

✅ Deploy Preview for graphql-spec-draft ready!

Name	Link
🔨 Latest commit	ce5b6fe
🔍 Latest deploy log	https://app.netlify.com/projects/graphql-spec-draft/deploys/69d510d6c7a170000828ede3
😎 Deploy Preview	https://deploy-preview-1222--graphql-spec-draft.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[linux-foundation-easycla]

• ❌ - login: @bhanuprasad14 / name: Test User. The commit (ce5b6fe) is not authorized under a signed CLA. Please click here to be authorized. For further assistance with EasyCLA, please submit a support request ticket.

[benjie]

Hi @pranitaurlam; thanks for raising this PR but we can't review or incorporate it until you've signed the CLA. Let us know if you need any assistance.