fix: sanitize id_prefix to prevent HTML comment injection in SSR output

[mandreko]

Summary

• Strips < and > characters from id_prefix before embedding it in hydration markers
• Prevents malicious prefixes from breaking out of HTML comments and injecting arbitrary HTML into server-rendered output
• Adds a test case (id-prefix-html-comment-sanitization) to cover this scenario

Test plan

• Run existing SSR tests: pnpm test
• Verify the new sample test id-prefix-html-comment-sanitization passes
• Verify that a crafted id_prefix like -->injected<-- does not break SSR hydration markers

[changeset-bot]

⚠️ No Changeset found

Latest commit: ffdfe5d

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[dummdidumm]

While it's technically correct that you could do HTML injection here, it's basically impossible to exploit. To do so you would have to provide a dynamic idPrefix to render coming from something that is controllable from the outside. Why would anyone do that? So I'm a bit torn whether or not we want to do this.