AO3-7342 Update embed sanitizer to new Allow syntax

[not-varram]

Pull Request Checklist

• Have you read "How to write the perfect pull request"?
• Have you read the contributing guidelines?
• Have you added tests for any changed functionality?
• Have you added the Jira issue number
  as the first thing in your pull request title (e.g. AO3-1234 Fix thing)
• Do you have fewer than 5 pull requests already open? If not, please wait
  until they are reviewed and merged before creating new pull requests.

Issue

https://otwarchive.atlassian.net/browse/AO3-7342

Purpose

Support the modern allow="fullscreen" attribute on iframe embeds alongside the legacy allowfullscreen boolean attribute. The allow attribute value is restricted to just "fullscreen" per ADT recommendation, stripping any other directives. This fixes fullscreen for embeds (e.g. Vimeo) that have switched to the new syntax.

Testing Instructions

1. In a work or other field that allows media embeds, paste a Vimeo (or similar) iframe embed that uses allow="fullscreen" instead of allowfullscreen.
2. Verify fullscreen works on the embedded player.
3. Verify an iframe with allow="fullscreen; autoplay" is sanitized down to allow="fullscreen" only.
4. Verify an iframe with allow="autoplay" (no fullscreen) has the allow attribute stripped entirely.
5. Verify old embeds using the legacy allowfullscreen attribute still work.

Credit

varram (he/him)