ToJSON for URI includes passwords

[ezrakilty]

The instance of ToJSON given for Network.URI objects passes id for the function that is intended to sanitize passwords out of the UserInfo field of a URI, meaning that by default uses of this instance will include any password in the output:

https://github.com/haskell/aeson/blob/c93d60d82388c184a9cf240f016a728c9d0e758f/src/Data/Aeson/Types/ToJSON.hs#L2154

There will be many cases where users probably do want to serialize the password component of a URI, but it is perhaps not a good default. What do you think?