Fix HTML injection risks in FilesPage and UploadPage

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

src/views/Files/FilesPage.vue

@@ -486,6 +486,7 @@ import {
   deleteFileModal,
   reallyDeleteInformation,
 } from "@/module/alertModal.js";
+import { escapeHtml } from "@/utils/escapeHtml.js";
 
 const router = useRouter();
 
@@ -761,7 +762,7 @@ async function deleteFile(type, id, name, source) {
         default:
           break;
       }
-      const content = `<li>[${i.type}] ${i.name}</li>`;
+      const content = `<li>[${escapeHtml(i.type)}] ${escapeHtml(i.name)}</li>`;
       srt += content;
     });
   }
@@ -790,7 +791,7 @@ function showReallyDelete() {
           break;
       }
 
-      const content = `<li>[${file.type}] ${file.name}</li>`;
+      const content = `<li>[${escapeHtml(file.type)}] ${escapeHtml(file.name)}</li>`;
       srt += content;
     });
   }

src/views/Upload/UploadPage.vue

@@ -330,7 +330,7 @@ function getTextWidth(text, e) {
   const processedText = text.replace(/ /g, "\u00a0");
   const hiddenSpan = document.createElement("span");
 
-  hiddenSpan.innerHTML = processedText;
+  hiddenSpan.textContent = processedText;
   hiddenSpan.style.font = window.getComputedStyle(e).font;
   hiddenSpan.style.visibility = "hidden";
   document.body.appendChild(hiddenSpan);