fix: prevent ReDoS vulnerability in HTML payload unwrapping regex

Fixed a polynomial Regular Expression Denial of Service (ReDoS) vulnerability in the HTML payload unwrapping function. The base64 capture group in the regex pattern was changed from greedy (`+`) to non-greedy (`+?`) to prevent exponential backtracking when processing malicious input.

**Security Impact:**
- Prevents potential DoS attacks through crafted HTML input that could cause excessive CPU usage
- Maintains the same functional behavior for legitimate base64 payload extraction

**Technical Details:**
- Modified regex pattern in `lib/tdf3/src/utils/unwrap.ts` line 6
- Changed `([a-zA-Z0-9+/=]+)` to `([a-zA-Z0-9+/=]+?)` to use non-greedy matching
- This eliminates catastrophic backtracking scenarios while preserving correct base64 extraction

Author: jentfoo

lib/tdf3/src/utils/unwrap.ts

@@ -3,7 +3,7 @@ import { InvalidFileError } from '../../../src/errors.js';
 
 export function unwrapHtml(htmlPayload: Uint8Array): Uint8Array {
   const html = new TextDecoder().decode(htmlPayload);
-  const payloadRe = /<input id=['"]?data-input['"]?[^>]*?value=['"]?([a-zA-Z0-9+/=]+)['"]?/;
+  const payloadRe = /<input id=['"]?data-input['"]?[^>]*?value=['"]?([a-zA-Z0-9+/=]+?)['"]?/;
   const reResult = payloadRe.exec(html);
   if (!reResult) {
     throw new InvalidFileError('Payload is missing');