Theme: Harden WP_Theme_JSON methods against CSS injection

Adds comprehensive sanitization to WP_Theme_JSON::compute_theme_vars()
and WP_Theme_JSON::to_ruleset() to treat theme.json as user-supplied content.

Security improvements:
- Sanitizes CSS variable names (alphanumeric + hyphens only)
- Sanitizes CSS selectors to prevent selector injection
- Sanitizes CSS property names and values
- Quote-aware parsing preserves legitimate CSS syntax
- Blocks CSS structure characters (;, {, }) outside quotes
- Blocks dangerous URL protocols (javascript:, data:, vbscript:)
- Blocks CSS at-rules (@import, @charset, @namespace)
- Blocks legacy browser attacks (expression, behavior, -moz-binding)
- Enforces length limits to prevent DoS attacks

New sanitization methods in WP_Theme_JSON:
- sanitize_css_selector() - Validates CSS selectors
- sanitize_css_property_name() - Validates property names
- sanitize_css_property_value() - Validates property values

Test coverage:
- tests/phpunit/tests/theme/wpThemeJsonComputeThemeVars.php (23 tests)
- tests/phpunit/tests/theme/wpThemeJsonToRuleset.php (27 tests)
- Total: 50 test methods, all passing

Props: villu164
Fixes #62224

Author: Jaysinh Patankar