[codex] Fix Lazy Blocks meta XSS guard

[Fellan-91]

Summary

This PR hardens Lazy Blocks block-code meta handling against direct WordPress metadata writes.

Root Cause

The block builder REST/UI save path uses save_meta_boxes(), which checks unfiltered_html before persisting block code fields. However, XML-RPC/custom fields and other direct metadata API writes can write lazyblocks_code_frontend_html without going through that save path. A user who can edit Lazy Blocks but does not have unfiltered_html could therefore persist executable frontend HTML in a block template.

This matters for environments such as Multisite site admins, installs with DISALLOW_UNFILTERED_HTML, or custom roles that have edit_lazyblocks without unfiltered_html.

Changes

• Adds add_post_metadata and update_post_metadata guards for unsafe Lazy Blocks code meta keys.
• Blocks direct writes to lazyblocks_code_editor_html, lazyblocks_code_frontend_html, and lazyblocks_script_view unless the current user is allowed unfiltered HTML.
• Adds a PHPUnit regression test that reproduces the bypass with direct add_post_meta() / update_post_meta() calls.

Validation

• TDD red/green check: the new regression test fails when the metadata guards are disabled and passes when they are enabled.
• npm run test:unit:php -- --filter test_direct_meta_writes_block_code_fields_for_non_privileged_users
• npm run test:unit:php -- --filter SecurityTest
• npm run test:unit:php -- --filter 'SecurityTest|BlockRenderTest|BlockRegistrationTest|ExportPermissionTest'
• vendor/bin/phpcs --standard=phpcs.xml.dist classes/class-blocks.php tests/phpunit/SecurityTest.php