Ensure <script> tags rendered via TemplateResults on server do not result in executable code on client

[kevinpschaaf]

On the client, this code will not result in script execution:

const result = html`<script>alert('hi')</script>`;
render(result, container);

However, when rendering the same template via render-lit-html, the script will be emitted into the page and executed when parsed on the client. The SSR code should (optionally) identify <script> tags and mark with a type="disabled" or similar attribute to prevent script execution, to maintain the same guarantees client-side security guarantees when server-rendering.