fix(security): eliminate XSS vectors and restore zoom accessibility

- Extract shared esc() utility (public/utils/html.js) replacing 8
  duplicate escHtml() functions across all page modules
- Apply HTML escaping to all user-controlled data in innerHTML
  templates: titles, names, locations, descriptions, colors, notes
  content, weather data, autocomplete suggestions
- Remove user-scalable=no and maximum-scale=1 from viewport meta
  tag, restoring pinch-to-zoom for WCAG 1.4.4 compliance
- Bump version to 0.7.1

public/utils/html.js

@@ -0,0 +1,27 @@
+/**
+ * Modul: HTML Utilities
+ * Zweck: XSS-Schutz fuer innerHTML-basiertes Rendering
+ * Abhaengigkeiten: keine
+ */
+
+const ESCAPE_MAP = {
+  '&': '&',
+  '<': '&lt;',
+  '>': '&gt;',
+  '"': '&quot;',
+  "'": '&#39;',
+};
+
+const ESCAPE_RE = /[&<>"']/g;
+
+/**
+ * Escapet einen String fuer die sichere Einbettung in HTML.
+ * Gibt fuer null/undefined einen Leerstring zurueck.
+ *
+ * @param {*} str - Beliebiger Wert (wird zu String konvertiert)
+ * @returns {string} HTML-sicherer String
+ */
+export function esc(str) {
+  if (str == null) return '';
+  return String(str).replace(ESCAPE_RE, (ch) => ESCAPE_MAP[ch]);
+}