fix: Escape user-supplied strings in URLs to prevent injection

[LewisW]

Change Summary

Fixes #194 by escaping user-supplied strings in URLs. This fixes a potential vulnerability that gives a malicious actor the ability to delete parent collections by starting their ID with a hash (in cases where something user-supplied like a username, email etc. is used for the document ID/prefix).

It's also pretty common practice to use the # character in dynamodb keys, which is how we discovered this issue.

PR Checklist

• [x] I have read and signed the Contributor License Agreement.

[kopertop]

Just to add a +1 here, this also breaks when IDs have a / in them.

I would suggest the default should be to do the URL encoding in the library, and if you need an explicit opt-out for backwards compatibility you could add that, but certainly the default should be to encode them in the library (for new users like myself).