fix(browser): escape inline orchestrator scripts

[hi-ogawa]

Description

Minor security gotcha that I noticed when digging #10283. This isn't vulnerability other than user code attacking itself, but it makes sense to safe guard to avoid any potential future attack surface.

This is also a genuine bug fix for certain string use in provide/inject. Before the fix, the orchestrator page shows up like this with provide.someKey: "</script><h1>inject1</h1><!--":

Please don't delete this checklist! Before submitting the PR, please make sure you do the following:

• It's really useful if your PR references an issue where it is discussed ahead of time. If the feature is substantial or introduces breaking changes without a discussion, PR might be closed.
• Ideally, include a test that fails without this PR but passes with it.
• Please, don't make changes to pnpm-lock.yaml unless you introduce a new test example.
• Please check Allow edits by maintainers to make review process faster. Note that this option is not available for repositories that are owned by Github organizations.

Tests

• Run the tests with pnpm test:ci.

Documentation

• If you introduce new functionality, document it. You can run documentation with pnpm run docs command.

Changesets

• Changes in changelog are generated from PR name. Please, make sure that it explains your changes in an understandable manner. Please, prefix changeset messages with feat:, fix:, perf:, docs:, or chore:.

[netlify]

✅ Deploy Preview for vitest-dev ready!

Built without sensitive environment variables

Name	Link
🔨 Latest commit	5c9510c
🔍 Latest deploy log	https://app.netlify.com/projects/vitest-dev/deploys/6a0e748a461c320008a2cc61
😎 Deploy Preview	https://deploy-preview-10412--vitest-dev.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
🤖 Make changes	Run an agent on this branch

---

To edit notification comments on pull requests, go to your Netlify project configuration.