fix(browser): land PR #11880 decodeURIComponent guardrails

Guard malformed percent-encoding in relay target routes and browser dispatcher params, add regression tests, and update changelog.
Landed from contributor @Yida-Dev (PR #11880).

Co-authored-by: Yida-Dev <reyifeijun@gmail.com>

src/browser/routes/dispatcher.abort.test.ts

@@ -23,6 +23,15 @@ vi.mock("./index.js", () => {
           res.json({ ok: true });
         },
       );
+      app.get(
+        "/echo/:id",
+        async (
+          req: { params?: Record<string, string> },
+          res: { json: (body: unknown) => void },
+        ) => {
+          res.json({ id: req.params?.id ?? null });
+        },
+      );
     },
   };
 });
@@ -46,4 +55,19 @@ describe("browser route dispatcher (abort)", () => {
       body: { error: expect.stringContaining("timed out") },
     });
   });
+
+  it("returns 400 for malformed percent-encoding in route params", async () => {
+    const { createBrowserRouteDispatcher } = await import("./dispatcher.js");
+    const dispatcher = createBrowserRouteDispatcher({} as BrowserRouteContext);
+
+    await expect(
+      dispatcher.dispatch({
+        method: "GET",
+        path: "/echo/%E0%A4%A",
+      }),
+    ).resolves.toMatchObject({
+      status: 400,
+      body: { error: expect.stringContaining("invalid path parameter encoding") },
+    });
+  });
 });

src/browser/routes/dispatcher.ts

@@ -87,7 +87,14 @@ export function createBrowserRouteDispatcher(ctx: BrowserRouteContext) {
         for (const [idx, name] of match.paramNames.entries()) {
           const value = exec[idx + 1];
           if (typeof value === "string") {
-            params[name] = decodeURIComponent(value);
+            try {
+              params[name] = decodeURIComponent(value);
+            } catch {
+              return {
+                status: 400,
+                body: { error: `invalid path parameter encoding: ${name}` },
+              };
+            }
           }
         }
       }