Function isSafeAttribute

Check whether an HTML attribute name is safe to include in rendered output.

The check applies three rules in order:

1. Block all event handlers (on* prefix) unconditionally
2. Allow accessibility (aria-*) and custom data (data-*) attributes
3. Allow only attributes in the SAFE_ATTRIBUTES allowlist