fix(security): block URL-encoded injection patterns in SecurityValidator.validate_url() (#4335)

* fix: block URL-encoded injection patterns in SecurityValidator.validate_url()

Decode URLs before security checks to prevent bypasses via URL encoding.
Addresses CRLF injection, XSS, JavaScript protocol, and other attack vectors
that could be hidden using percent-encoding (%0d%0a, %3Cscript%3E, etc.).

Changes:
- Add urllib.parse.unquote() at start of validate_url()
- Use decoded_value for all pattern-based security checks:
  - CRLF injection detection
  - XSS/HTML tag detection
  - JavaScript protocol detection
  - Space validation
  - Dangerous URL pattern matching

Structural checks (scheme, IPv6, protocol-relative, length) remain on
original value as they validate URL structure, not content.

All 27 injection test vectors now blocked. Fixes ICACF-19.

Signed-off-by: Jonathan Springer <jps@s390x.com>

* fix(security): harden validators against double-encoding and encoded injection bypass

Extend percent-encoding defense to all SecurityValidator entry points
(validate_no_xss, validate_uri, sanitize_display_text, validate_sql_parameter)
and mirror hardening in the plugin framework standalone validator. Block
double-encoded payloads, IIS %uXXXX escapes, JS \uXXXX/\xXX escapes, and
invalid UTF-8 overlong sequences. Add _parse_ip_network_cached for CIDR
parsing performance. Comprehensive regression tests for both core and plugin
validators.

Closes #4318

Signed-off-by: Jonathan Springer <jps@s390x.com>

---------

Signed-off-by: Jonathan Springer <jps@s390x.com>
Co-authored-by: Bogdan-Marius-Catanus <bogdan-marius.catanus@ibm.com>
Co-authored-by: Jonathan Springer <jps@s390x.com>

Author: 3 people

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "(?x)( package-lock\\.json$ |Cargo\\.lock$ |uv\\.lock$ |go\\.sum$ |mcpgateway/sri_hashes\\.json$ )|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2026-04-26T06:08:46Z",
+  "generated_at": "2026-04-26T07:08:49Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -4844,7 +4844,7 @@
         "hashed_secret": "c377074d6473f35a91001981355da793dc808ffd",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 699,
+        "line_number": 751,
         "type": "Hex High Entropy String",
         "verified_result": null
       }