Fix XSS vulnerability in GraphiQL config injection

Security scan flagged an XSS vector where unsanitized query parameters
could break out of the <script> context when embedded in the HTML page.

Solution:
- Escape <, >, and & characters when embedding JSON in the HTML script tag
- Use Unicode escapes (\u003c, \u003e, \u0026) instead of HTML entities
- Unicode escapes are decoded by JavaScript's JSON parser, preserving the
  original query text for GraphiQL
- HTML entities (like &gt;) would NOT be decoded inside <script> tags,
  breaking GraphQL query syntax

This prevents XSS while maintaining correct functionality.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: amcaplan

packages/app/src/cli/services/dev/graphiql/server.ts

@@ -187,7 +187,13 @@ export function setupGraphiQLServer({
     }
 
     // Inject config script before </head>
-    const configScript = `<script>window.__GRAPHIQL_CONFIG__ = ${JSON.stringify(config)};</script>`
+    // Escape < > & in JSON to prevent XSS when embedding in HTML script tags
+    // Use Unicode escapes so JavaScript correctly decodes them (HTML entities would break the query)
+    const safeJson = JSON.stringify(config)
+      .replace(/</g, '\\u003c')
+      .replace(/>/g, '\\u003e')
+      .replace(/&/g, '\\u0026')
+    const configScript = `<script>window.__GRAPHIQL_CONFIG__ = ${safeJson};</script>`
     indexHtml = indexHtml.replace('</head>', `${configScript}\n  </head>`)
 
     res.setHeader('Content-Type', 'text/html')