Escape CDATA before handling conditional comments.

Signed-off-by: Edward Z. Yang <ezyang@mit.edu>

library/HTMLPurifier/Lexer.php

@@ -273,11 +273,11 @@ class HTMLPurifier_Lexer
             $html = $this->escapeCommentedCDATA($html);
         }
 
-        $html = $this->removeIEConditional($html);
-
         // escape CDATA
         $html = $this->escapeCDATA($html);
 
+        $html = $this->removeIEConditional($html);
+
         // extract body from document if applicable
         if ($config->get('Core.ConvertDocumentToFragment')) {
             $e = false;