fix: sanitize WebSocket data in HTML templates (XSS #47)

src/dashboard/templates/swarm_live.html

@@ -198,17 +198,43 @@ function addActivityEvent(evt) {
         } catch(e) {}
     }
     
-    item.innerHTML = `
-        <div class="activity-icon">${icon}</div>
-        <div class="activity-content">
-            <div class="activity-label">${label}</div>
-            ${desc ? `<div class="activity-desc">${desc}</div>` : ''}
-            <div class="activity-meta">
-                <span class="activity-time">${time}</span>
-                <span class="activity-source">${evt.source || 'system'}</span>
-            </div>
-        </div>
-    `;
+    // Build DOM safely using createElement and textContent
+    var iconDiv = document.createElement('div');
+    iconDiv.className = 'activity-icon';
+    iconDiv.textContent = icon;
+    
+    var contentDiv = document.createElement('div');
+    contentDiv.className = 'activity-content';
+    
+    var labelDiv = document.createElement('div');
+    labelDiv.className = 'activity-label';
+    labelDiv.textContent = label;
+    contentDiv.appendChild(labelDiv);
+    
+    if (desc) {
+        var descDiv = document.createElement('div');
+        descDiv.className = 'activity-desc';
+        descDiv.textContent = desc;
+        contentDiv.appendChild(descDiv);
+    }
+    
+    var metaDiv = document.createElement('div');
+    metaDiv.className = 'activity-meta';
+    
+    var timeSpan = document.createElement('span');
+    timeSpan.className = 'activity-time';
+    timeSpan.textContent = time;
+    
+    var sourceSpan = document.createElement('span');
+    sourceSpan.className = 'activity-source';
+    sourceSpan.textContent = evt.source || 'system';
+    
+    metaDiv.appendChild(timeSpan);
+    metaDiv.appendChild(sourceSpan);
+    contentDiv.appendChild(metaDiv);
+    
+    item.appendChild(iconDiv);
+    item.appendChild(contentDiv);
     
     // Add to top
     container.insertBefore(item, container.firstChild);