Add support for Trusted Types

[shhnjk]

Trusted Types helps prevent DOM-based XSS to appear on Web applications.

Given that jQuery also support Trusted Types, adding support for Trusted Types to Knockout would be a good idea.

Most of the changed would be to pass given html without modification, especially if the html is a TrustedHTML.
This means if we add support for the Trusted Types AND a web developer would like to enforce Trusted Types, following code would not work.

<!-- DOM-based XSS -->
<p>Name: <strong data-bind="html: decodeURI(location.hash.slice(1))"></strong></p>

Instead, above code has to changed to something safer.

<p>Name: <strong data-bind="html: userName"></strong></p>
<script>
    const policy = trustedTypes.createPolicy('app-policy', {
        createHTML: input => {
            return sanitze(input);
        }
    });

    function AppViewModel() { 
        this.userName = policy.createHTML(decodeURI(location.hash.slice(1)));  
    } 

    ko.applyBindings(new AppViewModel());
</script>

[mbest]

I ended up implementing this differently, where Knockout includes its own createHTML.