More Secure Export States Inline

[Austio]

Currently apolloProvider.exportStates() uses JSON.stringify to serialize javascript into the dom

const js = `${finalOptions.attachTo}.${finalOptions.globalName} = ${JSON.stringify(states)};`

This can cause a situation where someone saves something like "></script><script>alert(1)</script> in a field and when it is evaluated by the HTML it will be evaluated.

We solved this by using serialize-javascript library on apolloProvider.getStates()

Any thoughts on adding this by default in the project for ssr? If so I could run with the feature, a few considerations.

1. Not include serialize-javascript in the client bundle.
2. Keep getStates the same so that people can do what they want, but keep exportStates() safe serialized by default.