fix(csp): support MemberExpression assignments in evaluator (#4807)

* fix(csp): support MemberExpression assignments in evaluator

Replace the blanket "Property assignments are prohibited" throw with
targeted logic that resolves the object and property, blocks DOM node
writes (instanceof Node), and performs the assignment. The
UpdateExpression MemberExpression path was missing both guards; align
it with AssignmentExpression to correctly guard against DOM node writes
and prototype pollution.

Fixes #4722
Ref: #4671 (sections 3.1.6, 3.2.5)

* fix(csp): harden security guards for MemberExpression assignments

- Add setAttribute, setAttributeNS, setAttributeNode, setAttributeNodeNS
  to the dangerous keywords blocklist to prevent XSS via event handler
  attribute injection (e.g. $el.setAttribute('onclick', 'evil'))

- Widen instanceof Node check to also cover CSSStyleDeclaration,
  DOMStringMap, DOMTokenList, and NamedNodeMap to prevent property
  assignments on DOM-adjacent objects (e.g. $el.style.cssText, $el.dataset)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Caleb Porzio <calebporzio@gmail.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>