Fix typo in markdown sanitizer (#111258)

There was / is a typo in `markdownRenderer.js` that allowed any *trusted* document to pass arbitrary HTML through the marked.js sanitizer provided it is wrapped in `<span></span>` tags, or similar.

What could you have done with this? Not much that was not already possible in trusted mode, which, as far as I can tell is used just for Jypiter Notebooks that pretty much definitionally can execute Python anyway.

Insane strips everything worthwhile except `<a data-href=''/>` which you can use to send `command:` URIs on click (`javascript:` URIs are disabled at a higher level of abstraction), but are already whitelisted (L141) for trusted documents.

src/vs/base/browser/markdownRenderer.ts

@@ -218,7 +218,7 @@ export function renderMarkdown(markdown: IMarkdownString, options: MarkdownRende
 	// We always pass the output through insane after this so that we don't rely on
 	// marked for sanitization.
 	markedOptions.sanitizer = (html: string): string => {
-		const match = markdown.isTrusted ? html.match(/^(<span[^<]+>)|(<\/\s*span>)$/) : undefined;
+		const match = markdown.isTrusted ? html.match(/^(<span[^>]+>)|(<\/\s*span>)$/) : undefined;
 		return match ? html : '';
 	};
 	markedOptions.sanitize = true;