fix(website): properly escape backslashes and quotes in file paths

The previous implementation only escaped single quotes, which could allow
backslashes in file paths to break out of the JavaScript string context.
Now we escape backslashes first (\ -> \\), then single quotes (' -> \'),
preventing potential security issues.

Fixes CodeQL alert #26 for incomplete string escaping.

Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>

Author: Copilot

website/src/scripts/utils.ts

@@ -298,7 +298,8 @@ export function setupDropdownCloseHandlers(): void {
 export function getActionButtonsHtml(filePath: string, small = false): string {
   const btnClass = small ? 'btn-small' : '';
   const iconSize = small ? 14 : 16;
-  const escapedPath = filePath.replace(/'/g, "\\'");
+  // Escape backslashes first, then single quotes to prevent breaking out of string context
+  const escapedPath = filePath.replace(/\\/g, '\\\\').replace(/'/g, "\\'");
 
   return `
     <button class="btn btn-secondary ${btnClass} action-download" data-path="${escapeHtml(filePath)}" onclick="event.stopPropagation(); window.__downloadFile && window.__downloadFile('${escapedPath}')" title="Download file">