fix: sanitize statusMessage of disallowed chars

[danielroe]

🔗 Linked issue

❓ Type of change

• 📖 Documentation (updates to the documentation or readme)
• 🐞 Bug fix (a non-breaking change that fixes an issue)
• 👌 Enhancement (improving an existing functionality like performance)
• ✨ New feature (a non-breaking change that adds functionality)
• 🧹 Chore (updates to the build process or auxiliary tools and libraries)
• ⚠️ Breaking change (fix or feature that would cause existing functionality to change)

📚 Description

It will break the response if we set any of these characters by accident (e.g. if a user includes in an error message).

Related: nuxt/nuxt#14688

📝 Checklist

• I have linked an issue or discussion.
• I have updated the documentation accordingly.

[codecov]

Codecov Report

Merging #1057 (26be702) into main (1dcf5c4) will increase coverage by 0.07%.
The diff coverage is n/a.

❗ Current head 26be702 differs from pull request most recent head 88cf764. Consider uploading reports for the commit 88cf764 to get more accurate results

@@            Coverage Diff             @@
##             main    #1057      +/-   ##
==========================================
+ Coverage   67.32%   67.40%   +0.07%     
==========================================
  Files          62       62              
  Lines        6283     6283              
  Branches      706      707       +1     
==========================================
+ Hits         4230     4235       +5     
+ Misses       2038     2034       -4     
+ Partials       15       14       -1     

see 2 files with indirect coverage changes

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[pi0]

(same for nitr, i think we could move it to low-level h3)

[danielroe]

linking upstream PR: unjs/h3#357

[danielroe]

okay, I'll update nitro in this PR to use setResponseStatus from h3. Then the fix will flow downstream once merged and released in upstream PR.