fix: multiple critical bugs in frontend

- sidebar: fix library/tag selection event handlers not firing (callbacks never invoked)
- sidebar: fix handleSelectLibrary always passing empty string instead of library id
- dashboard: fix tag filter not persisting when navigating from document view
- app: fix XSS vulnerability in showToast (API error messages not escaped)
- app: fix XSS vulnerability in confirmDelete modal message
- document: fix path traversal risk in export filename

public/js/views/document.js

@@ -81,6 +81,9 @@ export async function renderDocument(app) {
     `;
 
     window.filterByTag = (tag) => {
+      // Store the tag to filter by in app state so dashboard can pick it up
+      app.state.selectedTag = tag;
+      app.state.selectedLibrary = null;
       app.navigate('dashboard');
     };
   }
@@ -94,7 +97,12 @@ export async function renderDocument(app) {
       const url = URL.createObjectURL(blob);
       const a = document.createElement('a');
       a.href = url;
-      a.download = `${doc.id}-${doc.title}.md`;
+      // Sanitize filename to prevent path traversal
+      const safeFilename = (doc.title || 'untitled')
+        .replace(/[^a-zA-Z0-9_\-\s]/g, '')
+        .replace(/\s+/g, '-')
+        .substring(0, 100);
+      a.download = `${doc.id}-${safeFilename}.md`;
       a.click();
       URL.revokeObjectURL(url);
       app.showToast('Document exported', 'success');