fix(response): use HTML entity escaping for redirect body

`encodeURI` does not escape HTML metacharacters (`"`, `<`, `>`), allowing
potential XSS via attribute breakout in the `<meta>` refresh tag.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: pi0

src/utils/response.ts

@@ -44,8 +44,12 @@ export function redirect(
   status: number = 302,
   statusText?: string,
 ): HTTPResponse {
-  const encodedLoc = encodeURI(location);
-  const body = /* html */ `<html><head><meta http-equiv="refresh" content="0; url=${encodedLoc}" /></head></html>`;
+  const htmlLoc = location
+    .replace(/&/g, "&amp;")
+    .replace(/"/g, "&quot;")
+    .replace(/</g, "&lt;")
+    .replace(/>/g, "&gt;");
+  const body = /* html */ `<html><head><meta http-equiv="refresh" content="0; url=${htmlLoc}" /></head></html>`;
   return new HTTPResponse(body, {
     status,
     statusText: statusText || (status === 301 ? "Moved Permanently" : "Found"),

test/utils.test.ts

@@ -49,7 +49,8 @@ describeMatrix("utils", (t, { it, describe, expect }) => {
       expect(result.headers.get("location")).toBe(malicious);
       const body = await result.text();
       expect(body).not.toContain("<script>");
-      expect(body).toContain("%3Cscript%3E");
+      expect(body).toContain("&lt;script&gt;");
+      expect(body).toContain("&quot;");
     });
   });