docs: document ReDoS mitigations in JSX preprocessing

[Copilot]

	Fix RM-XYZ

🧰 Changes

Added inline documentation explaining ReDoS mitigations already implemented in the JSX preprocessing module. The original PR introduced four security fixes that eliminate catastrophic backtracking:

1. HTMLBlock pattern (line 53) - Unrolling pattern (?:[^\]|\.)*` ensures each character has one match path
2. Code block detection (line 70) - Replaced regex with indexOf() for O(n) string search
3. Comment removal (line 106) - Negative lookahead (?!\/) eliminates asterisk ambiguity
4. Attribute parsing (line 112) - Manual depth counter replaces nested quantifiers

No logic changes. Comments clarify security properties for maintainers.

🧬 QA & Testing

• All tests passing (3/3 in preprocess-jsx-expressions.test.ts)
• CodeQL scan: 0 vulnerabilities

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[Copilot]

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://storage.googleapis.com/chromium-browser-snapshots/Linux_x64/1108766/chrome-linux.zip
  • Triggering command: /usr/local/bin/node node install.js (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)