fix(#190,#191): fix XSS vulnerabilities in Mermaid and WikiLink rendering

CRITICAL SECURITY FIXES for two XSS vulnerabilities

Mermaid XSS Fix (#190):
- Changed securityLevel from "loose" to "strict"
- Disabled htmlLabels to prevent HTML injection
- Blocks script execution and event handlers in SVG output

WikiLink XSS Fix (#191):
- Added alphanumeric whitelist validation for slugs
- Escape HTML entities in title attribute
- Reject slugs with special characters that could break attributes
- Return escaped text for invalid slugs

Security Impact:
- Prevents account takeover via cookie theft
- Blocks malicious script execution in user browsers
- Enforces strict content security for user-provided content

Fixes #190, #191

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

apps/web/src/components/mindmap/MermaidViewer.tsx

@@ -36,10 +36,10 @@ export function MermaidViewer({
         theme: isDark ? "dark" : "default",
         flowchart: {
           useMaxWidth: true,
-          htmlLabels: true,
+          htmlLabels: false,
           curve: "basis",
         },
-        securityLevel: "loose",
+        securityLevel: "strict",
       });
 
       // Generate unique ID for this render