Build: Fix an XSS in the test server HTML serving logic

The test server has a rule for `/tests/unit/*/*.html` paths that serves
a proper local file. However, the parameters after `/unit/` were so far not
escaped, leading to possibly reading a file from outside of the Git repository.
Fix that by replacing non-alphanumeric characters that are also not `-` or `_`.

This should resolve one CodeQL alert.

Author: mgol

tests/runner/createTestServer.js

@@ -23,8 +23,9 @@ export async function createTestServer( report ) {
 
 	// Add a script tag to HTML pages to load the QUnit listeners
 	app.use( /\/tests\/unit\/([^/]+)\/\1\.html$/, async( req, res ) => {
+		const moduleEscaped = req.params[ 0 ].replace( /[^a-z0-9_-]/gi, "" );
 		const html = await readFile(
-			`tests/unit/${ req.params[ 0 ] }/${ req.params[ 0 ] }.html`,
+			`tests/unit/${ moduleEscaped }/${ moduleEscaped }.html`,
 			"utf8"
 		);
 		res.send(