By default, when processing text blocks in marked.js, ampersands

wouldn't be encoded to "&". This caused problems when attempting to

write a literal "<", which would end up staying as a literal "<",

turning into a "<" during render.
This happened because text blocks weren't specifying that ampersands

needed to be encoded. This simple change specifies that ampersand

encoding is required when escaping text.
Note that no XSS issues were resulting from the above flaw in marked.js.

It was purely a visual rendering issue.

Tested a variety of characters and didn't see any problems.
Setting this flag to true just tells it to convert & to &.