fix: Add HTML escaping for message headers to prevent XSS

Summary of changes
- Added an `escapeHTML` function to sanitize header values.
- Updated the rendering of list items in message headers to use the `escapeHTML` function.

Reasoning for changes:
- Introduced an `escapeHTML` method to protect against potential cross-site scripting (XSS) attacks by encoding special HTML characters in message headers.
- Ensured that any content displayed in the application is treated as plain text, preventing malicious scripts from being executed through user-generated content.
- Improved overall security of the message rendering process in `message.mjs`.

source/components/content/viewer/message.mjs

@@ -193,6 +193,15 @@ class MessageContent extends CustomElement {
 		this.setOption("message.subject", message?.subject || null);
 		this.setOption("message.messageID", message?.messageID || null);
 
+		function escapeHTML(str) {
+			return str
+				.replace(/&/g, "&")
+				.replace(/</g, "&lt;")
+				.replace(/>/g, "&gt;")
+				.replace(/"/g, "&quot;")
+				.replace(/'/g, "&#39;");
+		}
+
 		const headers = [];
 		for (const [key, value] of Object.entries(message?.headers || {})) {
 			if (key && value) {
@@ -200,7 +209,8 @@ class MessageContent extends CustomElement {
 				if (isArray(valueString)) {
 					valueString = "<ul>";
 					for (const item of value) {
-						valueString += `<li>${item}</li>`;
+						const escapedItem = escapeHTML(item);
+						valueString += `<li>${escapedItem}</li>`;
 					}
 					valueString += "</ul>";
 				}