Consistency pass on href outputs

[moppius]

Now they all have double quotes and all processed as safe, so it doesn't end up with HTML codes in the output URL.

For example, before this change, the <head> section would contain raw code as such:

    <link rel="preload" href=https:&#x2F;&#x2F;cdnjs.cloudflare.com&#x2F;ajax&#x2F;libs&#x2F;font-awesome&#x2F;6.3.0&#x2F;css&#x2F;all.min.css as="style" onload="this.onload=null;this.rel='stylesheet'">
    <noscript><link rel="stylesheet" href=https:&#x2F;&#x2F;cdnjs.cloudflare.com&#x2F;ajax&#x2F;libs&#x2F;font-awesome&#x2F;6.3.0&#x2F;css&#x2F;all.min.css></noscript>

After this change, the raw output is more consistent and clear:

    <link rel="preload" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.3.0/css/all.min.css" as="style" onload="this.onload=null;this.rel='stylesheet'">
    <noscript><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.3.0/css/all.min.css"></noscript>

Similarly, the site header links were not processed as safe so they also looked similarly odd in the raw code.

[moppius]

I recommend squashing & merging this if you accept it, since I had to make two commits!