fix(security): disclose ReDoS risk for dataset filter reg

[Ovilia]

Background
We received a user-reported security finding about a potential ReDoS (Regular Expression Denial of Service) risk in the dataset filter transform when the reg option is driven by untrusted input.

Issue
The filter’s config.reg compiles user-supplied strings into RegExp and runs them on every row without checks on pattern complexity or length, which can lead to catastrophic backtracking and DoS (browser tab freeze or SSR blocking).

Decision
We are documenting this in the handbook instead of changing runtime behavior: the Security Guidelines (zh & en) now describe the risk and recommend mitigations (e.g. validating or restricting reg when config can be untrusted).

[Copilot]

Pull request overview

This PR updates the ECharts security handbook (Chinese + English) to explicitly disclose a potential ReDoS risk when dataset.transform uses the filter transform with config.reg sourced from untrusted input, and provides mitigation guidance for callers.

Changes:

• Add a new checklist entry warning about ReDoS risk for dataset.transform filter config.reg.
• Add a dedicated section describing the risk scenario and recommended mitigations (zh/en).

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
contents/zh/best-practices/security.md	Adds ReDoS disclosure + mitigations section for dataset filter config.reg (Chinese).
contents/en/best-practices/security.md	Adds ReDoS disclosure + mitigations section for dataset filter config.reg (English).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[raboof]

LGTM!