fix: resolve CodeQL high-severity XSS and sanitization findings

message-wizard.es6.js: Replace innerHTML-based HTML stripping with
DOMParser which safely parses without script execution.

cwm-transcript.es6.js: Loop regex tag stripping until stable to handle
malformed/nested tags like <scr<b>ipt> that bypass single-pass removal.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: bcordis

build/media_source/js/cwm-transcript.es6.js

@@ -85,10 +85,15 @@
             const start = parseVttTime(tsParts[0]);
             const end = parseVttTime(endRaw);
 
-            // Text is everything after the timestamp line, strip VTT tags
-            const text = lines.slice(tsIndex + 1).join(' ')
-                .replace(/<[^>]+>/g, '')
-                .trim();
+            // Text is everything after the timestamp line, strip VTT tags.
+            // Loop until stable to handle malformed/nested tags like <scr<b>ipt>.
+            let text = lines.slice(tsIndex + 1).join(' ');
+            let prev;
+            do {
+                prev = text;
+                text = text.replace(/<[^>]+>/g, '');
+            } while (text !== prev);
+            text = text.trim();
 
             if (text) {
                 cues.push({ start, end, text });

build/media_source/js/message-wizard.es6.js

@@ -181,10 +181,9 @@ document.addEventListener('DOMContentLoaded', () => {
             introText = getValue('jform_studyintro');
         }
 
-        // Strip HTML for preview
-        const tempDiv = document.createElement('div');
-        tempDiv.innerHTML = introText;
-        const introPreview = (tempDiv.textContent || '').substring(0, 200);
+        // Strip HTML for preview (DOMParser is safe — no script execution)
+        const parsed = new DOMParser().parseFromString(introText, 'text/html');
+        const introPreview = (parsed.body.textContent || '').substring(0, 200);
 
         const escHtml = (str) => {
             const d = document.createElement('div');