server-islands: only encode ETAGO delimiter + opening HTML comment syntax

[kurtextrem]

Changes

As per https://mathiasbynens.be/notes/etago, to make JSON safe inside a <script> literal, you need to only encode end-open tag (ETAGO) delimiters and <!--. Thus, we can avoid some work. I've also hoisted the regexps so that we only initialize them once.

Regarding the removal of 0x2029 and 0x2028 added in #11508, to me it does not seem security related to escape those, jsesc notes:

avoid errors when passing JSON-formatted data (which may contain U+2028 LINE SEPARATOR, U+2029 PARAGRAPH SEPARATOR, or lone surrogates) to a JavaScript parser or an UTF-8 encoder.

Which does not seem relevant in the server-islands case. Did I miss anything here?

Testing

I used the following snippet by @ascorbic:

Docs

Only a small perf related change, so no further docs needed.

[changeset-bot]

🦋 Changeset detected

Latest commit: 87aa1f6

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[matthewp]

Thanks @kurtextrem! Would you mind adding a test for this? You can add one here: https://github.com/withastro/astro/blob/main/packages/astro/test/server-islands.test.js (see the fixtures being used). The last PR was a hot-fix so a test didn't get added for urgency but now since the problem is fixed it would be good to have a test to prevent regressions.