fix(codegen-ui-react): add sanitization to binding expression

[ioanabrooks]

Problem

When Amplify Studio processes components with collection types, it recursively renders children and builds expression bindings without properly sanitizing them.

Solution

Updated property binding process:

• Added property value escaping during the component rendering pipeline
• Modified buildBindingExpression to safely handle property values
• Implemented custom validation instead of traditional HTML sanitization because:
• We're dealing with JSX expressions, not HTML
• Properties are intentionally rendered as expressions
• Standard HTML sanitizers wouldn't address the issue

credit @iCodeForBananas

Additional Notes

Links

Ticket

GitHub issue:

Other links

Verification

Manual tests

Automated tests

• Unit tests added/updated
• E2E tests added/updated
• N/A - (provide a reason)
• deferred - (provide GitHub issue for tracking)

Housekeeping

• No non-essential console logs
• All new files contain license notice

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 93.87%. Comparing base (bbc3435) to head (a0d01e4).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1174      +/-   ##
==========================================
+ Coverage   93.86%   93.87%   +0.01%     
==========================================
  Files         150      150              
  Lines        6114     6127      +13     
  Branches     1838     1838              
==========================================
+ Hits         5739     5752      +13     
  Misses        357      357              
  Partials       18       18              

Files with missing lines	Coverage Δ
...egen-ui-react/lib/react-component-render-helper.ts	92.14% <100.00%> (+0.26%)	⬆️
packages/codegen-ui-react/lib/utils/constants.ts	100.00% <100.00%> (ø)

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update bbc3435...a0d01e4. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[cwoolum]

buildAuthExpression may run into the same issue. Wouldn't this be a problem anywhere

[blakedunson]

lgtm