Sanitize Cytoscape tooltip labels to prevent XSS

Co-Authored-By: Codex <codex@openai.com>

tests/unit/module/tooltipContent.test.js

@@ -0,0 +1,19 @@
+// The Lucia project.
+// Copyright 2026-2026 DSP, inc.  All rights reserved.
+// Authors:
+//   codex@openai.com (Codex), 2026/03/08
+
+import { describe, it, expect } from 'vitest';
+import { createTooltipContent } from '@/module/tooltipContent.js';
+
+describe('createTooltipContent', () => {
+  it('renders untrusted label as plain text', () => {
+    const label = '<img src=x onerror=alert(1)>Node';
+
+    const content = createTooltipContent(label);
+
+    expect(content.textContent).toBe(label);
+    expect(content.innerHTML).toContain('&lt;img');
+    expect(content.querySelector('img')).toBeNull();
+  });
+});