Add support for trusted types (CSP)

[tomastrajan]

Hey there!

TLDR; This PR enables apps served with require-trusted-types-for 'script' CSP header to work with ngx-highlightjs.

We (and probably other folks out there) need to be able to use the HTTP Content-Security-Policy (CSP) trusted-types

The gist of it is that the ngx-highlightjs uses innerHTML assignment (with Angular sanitizer which is correct) but still evaluated as a security risk by the CSP. Therefore we have to create a policy to allow consumers to trust the library.

In consumer application then CSP can be enabled for local development and testing using

       "serve": {
          "builder": "@angular-devkit/build-angular:dev-server",
          "options": {
            "browserTarget": "rwc-b2c-components-showcase-rwc:build",
            "headers": {
              "Content-Security-Policy": "trusted-types ngx-highlightjs angular angular#unsafe-bypass angular#bundler; require-trusted-types-for 'script'"
            }
          }
        },

Keep in mind that in the end it is the responsibility of server to set correct CSP headers when serving the application (not responsibility of this lib).

This solution is heavily inspired by Angular own solution
Read more about trusted types and their support in Angular

[MurhafSousli]

Thanks a lot!