Harden widget config input handling

[neonwatty]

Summary

• add shared widget sanitizers for HTML, URLs, CSS colors, font families, numeric values, pixel values, and shadow presets
• validate widget data-* config before applying runtime behavior while preserving px compatibility for radius and border width
• build trigger label/icon DOM safely instead of interpolating config into innerHTML
• make required submitter fields imply visible fields at runtime
• sanitize modal titles, issue links, and picker/widget styling inputs
• update icon E2E coverage for the new URL policy and hostile label/icon config

Verification

• npm run test
• npm run typecheck
• npm run lint (existing warnings only)
• npm run build:widget
• npx playwright test e2e/widget.spec.ts --project=chromium -g "Custom Icon"
• npx playwright test --project=chromium --shard=2/2

[github-actions]

🎉 This PR is included in version 1.33.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀