Describe the bug
adding javascript to the bgc_heading_type attribute of a 'Site Title', 'Site Description', or 'Page Title' component results in that script being executed.

To Reproduce
Steps to reproduce the behavior:

1. Install PPB, PPBP, and Crio
2. Edit or create a Custom Header
3. Add one or more of the above components
4. Switch to the HTML view, and change the bgc_heading_type attribute to include "img+src=x+onerror=alert(1)". This can easily be done by replacing an entire Page Title component with the following:

[boldgrid_component type="wp_boldgrid_component_page_title" opts="%7B%22widget-boldgrid_component_page_title%5B%5D%5Bbgc_title_alignment%5D%22%3A%22center%22%2C%22widget-boldgrid_component_page_title%5B%5D%5Bbgc_heading_type%5D%22%3A%22img+src=x+onerror=alert(1)%22%7D"]

5. Save the post, and Preview it. You should see an alert window show, with the number 1 displayed.

Expected behavior
The tag for the bgc_heading_type should be escaped / validated to only allow an Hx tag.