fix(security): Prevent XSS bypass in Instagram plugin postProcess

The Instagram plugin's postProcess ran after sanitization, allowing
attackers to inject arbitrary HTML/JS via malicious Instagram URLs.

Changes:
- Add strict ID validation (alphanumeric, 10-14 chars) matching Instagram's
  Base64URL shortcode format
- Store only validated type+id in placeholders, not original URLs
- Reconstruct URLs from validated components (never use user input)
- Use DOM APIs in renderPost instead of innerHTML with user data
- Add double validation: parseInstagramUrl on input, regex on output

Attack vector blocked:
instagram.com/p/ABC"><img src=x onerror=alert(1)>
Now rejected by VALID_ID pattern before reaching the DOM.