The test server has a rule for `/tests/unit/*/*.html` paths that serves
a proper local file. However, the parameters after `/unit/` so far accepted
many characters that have special meaning, leading to possibly reading a file
from outside of the Git repository. Fix that by only accepting alphanumeric
characters, `-` or `_`.
This should resolve one CodeQL alert.
Closes gh-2309
Avoid relying on jQuery patches. Instead:
* use `CSS.escape` instead of `jQuery.escapeSelector`
* use `.filter()` with a proper handler instead of `.even()`
Keep `jquery-patch.js` for backwards compatibility, though.
Also, add tests for jquery-patch.
Ref gh-2249
