Implement secure preview handling
Implements three levels of security:
- Always render HTML and javascript
- Always escape HTML and javascript
- If there's no HTML in the document escape it, otherwise ask the user what they want to do
The default behaviour is the last one, the other two are behind a gsettings flag and not exposed to the user