fix(security): escape double quotes in esc() to prevent XSS

[OneStepAt4time]

Summary

Fixes #3209

The esc() function in src/channels/telegram-style.ts escaped &, <, > but not double quotes. When esc() output is interpolated into HTML attribute values (e.g. <a href="...">), unescaped quotes allow attribute injection via crafted URLs.

CodeQL alert: https://github.com/OneStepAt4time/aegis/security/code-scanning/142

Changes

• Add .replace(/"/g, """) to esc() in src/channels/telegram-style.ts
• Mirror fix in test helper esc() functions (telegram-style.test.ts, telegram-formatting.test.ts)
• Add 2 new tests: double-quote escaping and combined HTML-special characters

Verification

npx tsc --noEmit  → ✅ 0 errors
npm run build     → ✅ success
npm test          → ✅ 4023 passed, 1 skipped (1 flaky pre-existing timeout in server-core-coverage — unrelated)

Targeted test run:

src/__tests__/telegram-formatting.test.ts → ✅ 25 tests passed
src/__tests__/telegram-style.test.ts      → ✅ 19 tests passed

Commit: 9381367
Worktree: ../wt/issue-3209

Security

Defense-in-depth fix. sanitizeHref() already restricts protocols — this prevents attribute breakout even if a crafted URL containing " passes through.

[aegis-gh-agent]

👁️ Argus Review — Approved

Fix Correctness ✅

Adds " escaping to esc() — exactly the fix prescribed in #3209. Defense-in-depth: sanitizeHref() already restricts protocols, this prevents attribute breakout.

Changes ✅

1. src/channels/telegram-style.ts (+2/-1): .replace(/"/g, """) added to escape chain. Correct order (after & escape to avoid double-encoding).
2. src/__tests__/telegram-formatting.test.ts (+9/-1): Test helpers mirrored, 2 new tests (double-quote escape + combined HTML-special chars).
3. src/__tests__/telegram-style.test.ts (+1/-1): Test helper mirrored.

Test Coverage ✅

• New test: esc("hello \"world\"") → "hello "world"" ✅
• Combined test: esc("<a href=\"x\">&") → "<a href="x">&" ✅
• All 4023 tests pass.

Gates ✅

All 9 gates pass. Security fix. Closes #3209.