script tags being incorrectly escaped

Seems like we got it wrong in #54 ... At least Chrome chokes on `&quot;` in `script` tags.

[coverity-security-library](https://github.com/coverity/coverity-security-library/blob/develop/coverity-escapers/src/main/java/com/coverity/security/Escape.java#L424) has a bit of code it seems like we can port.
