Feature: Recommend escaping strings that can contain user-typed HTML

[willbroderick]

I would love to see Theme Check recommend escaping all user-entered plain text (with | escape)
I see a lot of developers not escaping strings in Liquid {{ ... }} output.

The information that would tell us which Liquid object properties need escaping is not available in any form. So this may be a large task.

I can see this needing:

1. A maintained list of Liquid object properties that need escaping. I don't know if Shopify could take this on.
2. A method of identifying when these properties are being output onto the page (taking into account assignment, loops, etc).

---

There are many examples of this issue in the current version of Dawn.

If you enter a Discount with the name This <is> a discount, any page on which the discount shows will contain the HTML tag <is> when output:
https://github.com/Shopify/dawn/blob/627bb72c748cb02e905d5972e41c7e4a0cccd620/sections/main-order.liquid#L237
I don't believe this is desired.

An HTML attribute example:
https://github.com/Shopify/dawn/blob/acff8d7c6be60f7d2ec220ca1a21be2c619ff633/snippets/facets.liquid#L116

Enter a double-quote into a value that displays in a facet filter (like a distance - 6"), and the HTML becomes broken.

This occurs in a large number of places in Dawn and other themes. Theme Check would be a great tool for enforcing good practices here.