Add escapeHtml utility and apply to all user-controllable SweetAlert2 html

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

tests/unit/utils/escapeHtml.test.js

@@ -0,0 +1,29 @@
+import { describe, it, expect } from 'vitest';
+import { escapeHtml } from '@/utils/escapeHtml.js';
+
+describe('escapeHtml', () => {
+  it('escapes ampersand', () => {
+    expect(escapeHtml('a&b')).toBe('a&b');
+  });
+
+  it('escapes angle brackets', () => {
+    expect(escapeHtml('<script>')).toBe('&lt;script&gt;');
+  });
+
+  it('escapes double quotes', () => {
+    expect(escapeHtml('"hello"')).toBe('&quot;hello&quot;');
+  });
+
+  it('escapes single quotes', () => {
+    expect(escapeHtml("it's")).toBe("it&#039;s");
+  });
+
+  it('escapes all special characters together', () => {
+    expect(escapeHtml('<img src="x" onerror="alert(\'XSS\')">'))
+      .toBe('&lt;img src=&quot;x&quot; onerror=&quot;alert(&#039;XSS&#039;)&quot;&gt;');
+  });
+
+  it('returns plain text unchanged', () => {
+    expect(escapeHtml('hello world')).toBe('hello world');
+  });
+});