handle_click_slot_inner should not trust client-suggested slot changes

`handle_click_slot_inner` currently uses `packet.slot_changes` directly without verifying that they are valid. This means a malicious client can create their own items by placing them in `slot_changes` in the click slot packet.