fix($sanitize): remove inline style from sanitization Firefox bug detection

Inserting a `style` tag causes a CSP violation when using a strict CSP that
doesn't allow inline styles. The `style` tag doesn't seem relevant for the
Firefox bug detection, and can be replaced with a `span`, see issue angular#16463
for more details.

The related unit test in `sanitizeSpec.js`, "should not allow JavaScript
hidden in badly formed HTML to get through sanitization (Firefox bug)", is
left untouched and still uses `style` to assert that the behavior hasn't
changed in the original scenario.

Fixes angular#16463.

Author: peruukki

src/ngSanitize/sanitize.js

@@ -441,7 +441,7 @@ function $SanitizeProvider() {
       return getInertBodyElement_XHR;
     } else {
       // Check for the Firefox bug - which prevents the inner img JS from being sanitized
-      inertBodyElement.innerHTML = '<svg><p><style><img src="</style><img src=x onerror=alert(1)//">';
+      inertBodyElement.innerHTML = '<svg><p><span><img src="</span><img src=x onerror=alert(1)//">';
       if (inertBodyElement.querySelector('svg img')) {
         return getInertBodyElement_DOMParser;
       } else {