Escape single quotes on the buyer-facing buy page

buy_page.rs kept a private html_escape that omitted the `'` escape the
canonical api::mod.rs impl has, so operator/product/discount-code text
rendered into HTML attributes was under-escaped. Drop the fork, reuse the
canonical escaper, and add a unit test covering the single quote.

licensing-service/src/api/mod.rs

@@ -1193,3 +1193,22 @@ async fn pubkey(
         "public_key_pem": state.keypair.public_key_pem,
     }))
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    /// The canonical escaper must cover the single quote — operator/product/
+    /// discount-code text renders into HTML attributes (incl. single-quoted),
+    /// so omitting `'` is an injection hole. Guards against re-forking a copy
+    /// that drops it (the bug that lived in `buy_page.rs`).
+    #[test]
+    fn html_escape_covers_single_quote_and_friends() {
+        assert_eq!(html_escape("'"), "'");
+        assert_eq!(
+            html_escape(r#"<a href='x' title="y">&</a>"#),
+            "&lt;a href=&#39;x&#39; title=&quot;y&quot;&gt;&amp;&lt;/a&gt;"
+        );
+        assert_eq!(html_escape("plain"), "plain");
+    }
+}