gh-145599, CVE 2026-3644: Reject control characters in `http.cookies.Morsel.update()` (#145600)

Reject control characters in `http.cookies.Morsel.update()` and `http.cookies.BaseCookie.js_output`.

Co-authored-by: Victor Stinner <vstinner@python.org>
Co-authored-by: Victor Stinner <victor.stinner@gmail.com>