Stabilize WAF Compatibility

[swissspidy]

Feature Description

This ticket is two-fold:

Preventing issues with HTML markup in REST API requests

On one hand, This is a follow-up to #4805 to make the feature stable and remove the experimental flag.

One reason why the current method is experimental is because it uses mb_convert_encoding with UTF-16, which might not be available on all sites (the polyfill only handles UTF-8 well).

I think we can make this much, much simpler by not using Base64 and instead simply replace all > and < characters with placeholders over the wire. This should help prevent WAF issues.

For example, < could be replaced with __WEB_STORIES_LT__, and > with __WEB_STORIES_GT__

Example code:

function encodeMarkup(string) {
  return (
    '__WEB_STORIES_ENCODED__' +
    string
      .replaceAll('<', '__WEB_STORIES_LT__')
      .replaceAll('>', '__WEB_STORIES_GT__')
  );
}

Result:

// Markup generated by editor
<html amp><head>

// Sent via REST API
__WEB_STORIES_LT__html amp__WEB_STORIES_GT____WEB_STORIES_LT__head__WEB_STORIES_GT__

// Reconstructed in PHP
<html amp><head>

Of course there could be other ways too.

Preventing other issues with WAFs

Prevent conflicts in other areas, like HTTP request methods or other blocks, as done in #5120.

Alternatives Considered

Additional Context

---

Do not alter or remove anything below. The following sections will be managed by moderators only.

Acceptance Criteria

Implementation Brief

[bmattb]

@spacedmonkey will take first crack at the IB for this.

[spacedmonkey]

Instead of a IB here, I worked on a small POC PR found here #5364.

In short, using uriencoding, to side step the utf-16 issue. More details in this stack overflow issue.

This seems like a simple workaround that works. @swissspidy can you look at the PR and seem what you think. If you are happy, I will add some more tests, remove the experiment flag.