This PR fixes a terminal escape injection issue where untrusted page text was rendered directly in the terminal UI.

Issue

Untrusted remote content could include ANSI/OSC control sequences. Rendering those bytes in terminal output can trigger terminal-side actions (such as clipboard manipulation, deceptive hyperlinks, or UI spoofing).

What changed

In src/renderer.rs, this PR adds sanitize_terminal_text() and applies it to all untrusted display paths:

• rendered page segments
• status and prompt text
• URL/search/goto input echoes
• active form input echo
• bookmark/history overlay entries
• page info title/URL
• display truncation and URL-part rendering helpers

Why

Because the vulnerability occurs at terminal render time. Sanitizing at render sinks ensures control sequences are stripped immediately before display, preventing escape-sequence execution regardless of where the untrusted text originated.