fix: harden generated pages and dev server paths

[brendanjryan]

Summary

• Enable Jinja HTML autoescaping for generated site pages
• Normalize and constrain local dev-server request paths before filesystem resolution
• Add tests for traversal rejection and expected path handling

Motivation

Address code-scanning concerns around generated HTML rendering and local static-file path resolution.

Key design considerations

• Keep generated page output unchanged for existing trusted content
• Preserve clean problem-page URL handling
• Restrict the dev server to localhost and reject decoded parent-directory traversal

[github-actions]

Spec Preview

Spec	Changed	Artifacts
draft-card-charge-00	-	HTML · TXT · XML · PDF
draft-evm-charge-00	-	HTML · TXT · XML · PDF
draft-hedera-charge-00	-	HTML · TXT · XML · PDF
draft-httpauth-payment-00	-	HTML · TXT · XML · PDF
draft-lightning-charge-00	-	HTML · TXT · XML · PDF
draft-lightning-session-00	-	HTML · TXT · XML · PDF
draft-nearintents-charge-00	-	HTML · TXT · XML · PDF
draft-payment-discovery-00	-	HTML · TXT · XML · PDF
draft-payment-intent-charge-00	-	HTML · TXT · XML · PDF
draft-payment-transport-mcp-00	-	HTML · TXT · XML · PDF
draft-solana-charge-00	-	HTML · TXT · XML · PDF
draft-stellar-charge-00	-	HTML · TXT · XML · PDF
draft-stripe-charge-00	-	HTML · TXT · XML · PDF
draft-tempo-charge-00	-	HTML · TXT · XML · PDF
draft-tempo-session-00	-	HTML · TXT · XML · PDF
draft-usdc-charge-00	-	HTML · TXT · XML · PDF

Browse preview release assets