Normalize NUL bytes to U+FFFD at parse entry

[dereuromark]

A raw NUL (U+0000) must never reach rendered output. This replaces it with the U+FFFD replacement character at the parse entry (WHATWG-style normalization, for cross-impl conformance), so a control byte cannot survive into the produced HTML.

What changed

• BlockParser: at the parse entry, any NUL in the input is replaced with U+FFFD before line splitting.
• SafeMode: the URL-scheme normalization now also strips the U+FFFD replacement character. A NUL-in-scheme evasion such as java\x00script: arrives as java\u{FFFD}script: after normalization; stripping U+FFFD keeps that evasion detected and blocked (empty href), preserving the existing SafeMode guarantee.

The dangerous-scheme detection regex itself was kept intact; the change only extends the set of stripped characters so the upstream NUL normalization does not open a new bypass.

Ported from carve-php commit ff40264.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.06%. Comparing base (306e362) to head (5c05fac).
⚠️ Report is 3 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff            @@
##             master     #248   +/-   ##
=========================================
  Coverage     92.06%   92.06%           
- Complexity     3571     3572    +1     
=========================================
  Files           107      107           
  Lines         10118    10120    +2     
=========================================
+ Hits           9315     9317    +2     
  Misses          803      803           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.