fix: strip C0 chars before javascript: check; correct mustache-literal docs/tests

- Strip U+0000–U+001F (C0 controls) from the start of the trimmed href
  value before applying the javascript: check. The WHATWG URL parser
  removes these characters before scheme detection, so \x00javascript:
  resolves to the javascript: scheme even though String.prototype.trim()
  leaves them in place.
- Fix invalid test syntax: href="{{"#"}}"` used double-quotes inside the
  surrounding attribute quotes, making it unparseable template syntax.
  Changed to single-quoted mustache: href="{{'#'}}".
- Correct the peer-parity audit comment that said mustache-wrapped string
  literals were "dynamic and skipped" — getStaticAttrValue unwraps them,
  so they ARE validated.
- Update docs to clarify only truly dynamic mustaches (PathExpressions,
  helpers, dynamic concat parts) are skipped; static literal mustaches
  (string/number/boolean) are validated.

Author: johanrd

docs/rules/template-no-invalid-link-href.md

@@ -41,7 +41,7 @@ This rule **allows** the following:
 </template>
 ```
 
-Dynamic hrefs (mustache-valued) are not validated — we can't statically know the resolved URL.
+Mustache hrefs whose value is a **static literal** (string, number, or boolean) are validated — the rule unwraps them to their static value via `getStaticAttrValue`. Only **truly dynamic** mustaches (PathExpressions, helpers with arguments, or concat statements that include a dynamic part) are skipped, because we can't statically determine what they will resolve to at runtime.
 
 ## References
 

lib/rules/template-no-invalid-link-href.js

@@ -120,11 +120,11 @@ ruleTester.run('audit:anchor-is-valid invalidHref (gts)', rule, {
     // === Upstream parity: string-literal expression wrapping "#" or js: ===
     // jsx-a11y: INVALID — `<a href={"#"} />` and `<a href={"javascript:void(0)"} />`
     //   are flagged because `getPropValue` unwraps the literal.
-    // Ours: we only statically resolve GlimmerTextNode / static ConcatStatement;
-    //   a bare `{{ "#" }}` mustache would be dynamic and skipped. The closest
-    //   Glimmer analogue that preserves the intent (a literal `#`) is the
-    //   direct form `href="#"`, already covered above.
-    // No separate case — this collapses into the direct-string case in HBS.
+    // Ours: INVALID — `getStaticAttrValue` unwraps a GlimmerMustacheStatement
+    //   whose sole part is a GlimmerStringLiteral, so `href={{"#"}}` and
+    //   `href={{"javascript:void(0)"}}` resolve to their static string values
+    //   and are validated the same as their direct text-node counterparts.
+    //   Parity with jsx-a11y; cases are covered in the main rule test file.
 
     // === DIVERGENCE — "#!" (common hash-bang placeholder) ===
     // jsx-a11y: VALID — only exact `#` is flagged; `#!` passes through.

tests/audit/anchor-is-valid-href-only/peer-parity.js

@@ -105,7 +105,7 @@ ruleTester.run('template-no-invalid-link-href', rule, {
     // Single-part quoted-mustache (GlimmerConcatStatement wrapping a
     // literal) resolves the same way.
     {
-      code: '<template><a href="{{"#"}}">Click</a></template>',
+      code: "<template><a href=\"{{'#'}}\">Click</a></template>",
       output: null,
       errors: [{ messageId: 'invalidHref' }],
     },