The `safeHTMLAttr` function operates on a full attribute definition, not
just within the attribute value.
Docs: https://gohugo.io/functions/safehtmlattr/
For `opengraph.html`, run the whole `content` HTML attribute through
`safeHTMLAttr`. That will preserve `+` signs in formatted dates.
For `vimeo_simple.html`, `safeHTMLAttr` was in the context of an
attribute value, thus having no effect. In this case we could replace it
with `safeURL`, but since the code is coming from an API it is safer to
just let Go's template engine sanitize the value as it already does with
`provider_url`.
Fixes#5236 (no need to change Go upstream)
Related to #5246
e22b3f54c3