fix: decode HTML entities before slugifying header IDs

[gaoflow]

Summary

Fixes #649.

When a markdown header contains HTML entities such as <, &, or >, the header_id_from_text method passes the raw entity string to _slugify before HTML-decoding it.

The & and ; characters are stripped by _slugify as non-word characters, but the entity name letters (e.g. lt) survive and pollute the generated ID:

import markdown2
result = markdown2.markdown("# <othertext", extras={"header-ids": None})
# Actual:   <h1 id="ltothertext">&lt;othertext</h1>
# Expected: <h1 id="othertext">&lt;othertext</h1>

Fix

Call html.unescape() on the header text before slugifying, so entity characters are decoded to their actual Unicode code points first. The resulting characters are then stripped or kept by _slugify as any literal character would be:

# lib/markdown2.py — header_id_from_text()
- header_id = _slugify(text)
+ header_id = _slugify(html.unescape(text))

This is a one-line fix plus a new test case (test/tm-cases/header_ids_entity.*).

Tested

• # <othertext → id="othertext" ✓ (was id="ltothertext")
• # R&D → id="rd" ✓ (was id="rampd")
• # <sometext> → id="sometext" ✓ (unchanged, still correct)
• All existing header_ids_* test cases pass.
• No new test failures introduced (12 pre-existing failures are unchanged).

This pull request was prepared with the assistance of AI, under my direction and review.