fix: prevent ReDoS in inline link regex title group (#3902)

The title separator in the link regex used [ \t]* which allowed the
title group to be probed at every backtrack position of the greedy href
group. On long single-line input containing [text]( patterns without a
nearby closing ), this produced O(n²) per regex call and O(n³) in the
full inline tokenizer.

Change [ \t]* to [ \t]+|\n to require actual whitespace before the
title. This matches CommonMark spec requirements and eliminates the
backtracking cascade.

Before: 18K input takes ~36 seconds (event loop blocked)
After:  18K input takes ~45ms

Author: tzonghao

src/rules.ts

@@ -380,7 +380,7 @@ const tag = edit(
 
 const _inlineLabel = /(?:\[(?:\\[\s\S]|[^\[\]\\])*\]|\\[\s\S]|`+[^`]*?`+(?!`)|[^\[\]\\`])*?/;
 
-const link = edit(/^!?\[(label)\]\(\s*(href)(?:(?:[ \t]*(?:\n[ \t]*)?)(title))?\s*\)/)
+const link = edit(/^!?\[(label)\]\(\s*(href)(?:(?:[ \t]+(?:\n[ \t]*)?|\n[ \t]*)(title))?\s*\)/)
   .replace('label', _inlineLabel)
   .replace('href', /<(?:\\.|[^\n<>\\])+>|[^ \t\n\x00-\x1f]*/)
   .replace('title', /"(?:\\"?|[^"\\])*"|'(?:\\'?|[^'\\])*'|\((?:\\\)?|[^)\\])*\)/)

test/specs/redos/cubic_link_title.cjs

@@ -0,0 +1,4 @@
+module.exports = {
+  markdown: 'a[b](c'.repeat(1000),
+  html: `<p>${'a[b](c'.repeat(1000)}</p>\n`,
+};