fix: address CodeQL XSS finding in timeline.html

- Sanitize branch param before using as script src
- Use textContent + createElement instead of innerHTML for subtitle
- Fix label extraction to use .pop() (matches underscore separator)

Author: johnathan79717

bench/timeline.html

@@ -31,9 +31,10 @@ <h1 id="title">Memory Timeline (Peak RSS)</h1>
   if (!commitId) {
     document.getElementById("subtitle").textContent = "No commit specified. Click a point on a stacked chart to view its timeline.";
   } else {
-    // Load data.js for this branch
+    // Load data.js for this branch (sanitize branch to prevent path traversal)
+    const safeBranch = branch.replace(/[^a-zA-Z0-9_\-\/\.]/g, "");
     const script = document.createElement("script");
-    script.src = branch + "/data.js";
+    script.src = safeBranch + "/data.js";
     script.onload = function() {
       if (!window.BENCHMARK_DATA) {
         document.getElementById("subtitle").textContent = "Could not load benchmark data.";
@@ -53,9 +54,7 @@ <h1 id="title">Memory Timeline (Peak RSS)</h1>
         const extra = b.extra || "";
         const match = extra.match(/^stacked:(.+)$/);
         if (match && (!chartFilter || match[1] === chartFilter)) {
-          // Use last 2 path segments as label
-          const parts = b.name.split("/");
-          const label = parts.length >= 2 ? parts.slice(-2).join("/") : parts.pop();
+          const label = b.name.split("/").pop();
           stages.push({ label: label, value: b.value, unit: b.unit || "MB" });
         }
       });
@@ -74,11 +73,13 @@ <h1 id="title">Memory Timeline (Peak RSS)</h1>
       const commitMsg = entry.commit.message || "";
 
       document.getElementById("title").textContent = commitId.slice(0, 7) + " Memory Timeline";
-      const backHref = "index.html?branch=" + encodeURIComponent(branch);
-      document.getElementById("subtitle").innerHTML =
-        stages.length + " stages | Peak: " + peakVal + " " + unit +
-        " at " + stages[peakIdx].label +
-        ' | <a href="' + backHref + '">&larr; Back to dashboard</a>';
+      const subtitle = document.getElementById("subtitle");
+      subtitle.textContent = stages.length + " stages | Peak: " + peakVal + " " + unit +
+        " at " + stages[peakIdx].label + " | ";
+      const backLink = document.createElement("a");
+      backLink.href = "index.html?branch=" + encodeURIComponent(branch);
+      backLink.textContent = "\u2190 Back to dashboard";
+      subtitle.appendChild(backLink);
 
       const labels = stages.map(s => s.label.length > 55 ? s.label.slice(0, 52) + "..." : s.label);
       const fullLabels = stages.map(s => s.label);