fix: Validate width range and escape percyElementId in RegExp for widths-config endpoint

[Copilot]

Two security/correctness issues identified in the /percy/widths-config endpoint and CORS iframe processing.

Changes

• Width range validation (api.js): User-supplied widths query params were only filtered for NaN. Added w >= 120 && w <= 2000 to match the same constraints enforced by the config schema — preventing out-of-range values (e.g. -50, 100, 2001) from reaching snapshot capture.

• RegExp injection fix (utils.js): iframeData.percyElementId was interpolated directly into a RegExp pattern, enabling regex injection and potential catastrophic backtracking from user-controlled input. Replaced the nosemgrep suppression with proper escaping before interpolation:

// Before
const regex = new RegExp(
  `(<iframe[^>]*data-percy-element-id=["']${iframeData.percyElementId}["'][^>]*>)`
);

// After
const escapedPercyElementId = String(iframeData.percyElementId).replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
const regex = new RegExp(
  `(<iframe[^>]*data-percy-element-id=["']${escapedPercyElementId}["'][^>]*>)`
);

• Test (api.test.js): Added a test case covering out-of-range widths (-50, 100, 2001) to verify they are filtered from the response.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.