fix(xml): harden parser against DoS and fix entity handling

[tomas-zijdemans]

• Breaking: To prevent XXS, disable DTDs by default (it's now opt-in). Following the OWASP Guidelines
• Fix: attribute duplicate detection
• Fix: eliminating unbounded memory growth from hostile DOCTYPE content
• Fix: The onDoctype callback was broken, it now forwards correctly
• Perf: Entity regex simplified
• Fix: Entity names containing digits (e.g. &foo1) are now consistently rejected as unknown
• Refactor: Allow setting maxDepth and maxAttributes per OWASP recommendation.
• Removed some dead code
• Added more tests
• Added a module tag for jsr

[codecov]

Codecov Report

❌ Patch coverage is 94.56522% with 5 lines in your changes missing coverage. Please review.
✅ Project coverage is 93.84%. Comparing base (4221795) to head (7f3f094).

Files with missing lines	Patch %	Lines
xml/_tokenizer.ts	85.18%	4 Missing ⚠️
xml/_parser.ts	97.95%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7021      +/-   ##
==========================================
+ Coverage   93.73%   93.84%   +0.10%     
==========================================
  Files         620      620              
  Lines       49388    49404      +16     
  Branches     8651     8670      +19     
==========================================
+ Hits        46293    46361      +68     
+ Misses       3025     2973      -52     
  Partials       70       70              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.