Actually, Sanitizer::encodeAttribute() was broken, so my last fix didn't actually...

Actually, Sanitizer::encodeAttribute() was broken, so my last fix didn't actually work, there was still HTML injection.  Fixed it so it encodes single quotes too.  The only other things in core that used it (or its friend safeEncodeAttribute) appear to be utility functions in Xml and Sanitizer::fixTagAttributes, all of which use double quotes.  However, it's possible that the SemanticForms extension may be affected -- I didn't look closely, but it seems to safely use double-quotes.