reader-handler: unbreak reader mode and add CSP
HTML-encoding the content passed to reader mode does not work because it contains HTML markup generated by Readability.js. Oops. I must have seriously screwed up when testing this yesterday, because there is no way this could ever have worked.
Upstream recommends use of a DOM purifier, but in theory, if we completely block all script execution, we can avoid the need for that. So add a CSP recommended by Patrick.
We'll sneak in a couple bonus fixes: use ' rather than " to improve readability, and close the
Edited by Michael Catanzaro