Fix safeNextPath: reject paths containing colon characters

Add a value.includes(':') check to the safeNextPath guard conditions
to block scheme-like injection patterns (e.g. /settings:debug).
This matches the security intent expressed in the test suite.

Author: cursoragent

apps/web/middleware.ts

@@ -79,6 +79,7 @@ function safeNextPath(value: string | null): string {
     !value?.startsWith("/") ||
     value.startsWith("//") ||
     value.includes("\\") ||
+    value.includes(":") ||
     hasControlCharacter(value)
   ) {
     return "/";