chore(xml-builder): single-pass XML escape for escapeElement and escapeAttribute (#7833)

Replace chained .replace() calls with a single regex + lookup map approach.

- escapeElement: 9 sequential .replace() calls → 1 pass with combined regex
- escapeAttribute: 4 sequential .replace() calls → 1 pass with combined regex
- Fix missing /g flag on \u2028 replacement in escapeElement (only first
  occurrence was being escaped)

Author: TrevorBurnham

packages-internal/xml-builder/src/escape-attribute.ts

@@ -1,8 +1,17 @@
+const ATTR_ESCAPE_RE = /[&<>"]/g;
+
+const ATTR_ESCAPE_MAP: Record<string, string> = {
+  "&": "&amp;",
+  "<": "&lt;",
+  ">": "&gt;",
+  '"': "&quot;",
+};
+
 /**
  * @internal
  *
  * Escapes characters that can not be in an XML attribute.
  */
 export function escapeAttribute(value: string): string {
-  return value.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;");
+  return value.replace(ATTR_ESCAPE_RE, (ch) => ATTR_ESCAPE_MAP[ch]);
 }

packages-internal/xml-builder/src/escape-element.spec.ts

@@ -7,4 +7,8 @@ describe("escape-element", () => {
     const value = "abc 123 &<>\"'%\n\r\u0085\u2028";
     expect(escapeElement(value)).toBe("abc 123 &amp;&lt;&gt;&quot;&apos;%&#x0A;&#x0D;&#x85;&#x2028;");
   });
+
+  it("escapes multiple \\u2028 occurrences", () => {
+    expect(escapeElement("a\u2028b\u2028c")).toBe("a&#x2028;b&#x2028;c");
+  });
 });

packages-internal/xml-builder/src/escape-element.ts

@@ -1,17 +1,22 @@
+const ELEMENT_ESCAPE_RE = /[&"'<>\r\n\u0085\u2028]/g;
+
+const ELEMENT_ESCAPE_MAP: Record<string, string> = {
+  "&": "&amp;",
+  '"': "&quot;",
+  "'": "&apos;",
+  "<": "&lt;",
+  ">": "&gt;",
+  "\r": "&#x0D;",
+  "\n": "&#x0A;",
+  "\u0085": "&#x85;",
+  "\u2028": "&#x2028;",
+};
+
 /**
  * @internal
  *
  * Escapes characters that can not be in an XML element.
  */
 export function escapeElement(value: string): string {
-  return value
-    .replace(/&/g, "&amp;")
-    .replace(/"/g, "&quot;")
-    .replace(/'/g, "&apos;")
-    .replace(/</g, "&lt;")
-    .replace(/>/g, "&gt;")
-    .replace(/\r/g, "&#x0D;")
-    .replace(/\n/g, "&#x0A;")
-    .replace(/\u0085/g, "&#x85;")
-    .replace(/\u2028/, "&#x2028;");
+  return value.replace(ELEMENT_ESCAPE_RE, (ch) => ELEMENT_ESCAPE_MAP[ch]);
 }