Fix XSS vulnerability in href attribute injection
Escape HTML special characters in href attributes to prevent
attribute injection attacks. URLs containing quotes like
`https://a.com"onmouseover="alert()"` could break out of the
href attribute and execute arbitrary JavaScript.
Applies escapeHTML() to:
- source.link in addInlineCitations() (line 197)
- safeHref in link renderer (line 238)
Regression from e0ebf461 (Nov 20, 2025) which removed the
escapeAttribute function during refactoring.
