fix: 보안 취약점 수정 및 XSS 방지 적용

## 백엔드 보안 수정
- 하드코딩된 비밀번호 및 JWT 시크릿 폴백 제거
- SQL Injection 방지를 위한 화이트리스트 검증 추가
- 인증 미적용 API 라우트에 requireAuth 미들웨어 적용
- CSRF 보호 미들웨어 구현 (csrf.js)
- 파일 업로드 보안 유틸리티 추가 (fileUploadSecurity.js)
- 비밀번호 정책 검증 유틸리티 추가 (passwordValidator.js)

## 프론트엔드 XSS 방지
- api-base.js에 전역 escapeHtml() 함수 추가
- 17개 주요 JS 파일에 escapeHtml 적용:
  - tbm.js, daily-patrol.js, daily-work-report.js
  - task-management.js, workplace-status.js
  - equipment-detail.js, equipment-management.js
  - issue-detail.js, issue-report.js
  - vacation-common.js, worker-management.js
  - safety-report-list.js, nonconformity-list.js
  - project-management.js, workplace-management.js

## 정리
- 백업 폴더 및 빈 파일 삭제
- SECURITY_GUIDE.md 문서 추가

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

web-ui/js/vacation-common.js

@@ -83,25 +83,31 @@ function renderVacationRequests(requests, containerId, showActions = false, acti
       </thead>
       <tbody>
         ${requests.map(request => {
-          const statusClass = request.status === 'pending' ? 'status-pending' :
-                            request.status === 'approved' ? 'status-approved' : 'status-rejected';
-          const statusText = request.status === 'pending' ? '대기' :
-                            request.status === 'approved' ? '승인' : '거부';
+          const validStatuses = ['pending', 'approved', 'rejected'];
+          const safeStatus = validStatuses.includes(request.status) ? request.status : 'pending';
+          const statusClass = safeStatus === 'pending' ? 'status-pending' :
+                            safeStatus === 'approved' ? 'status-approved' : 'status-rejected';
+          const statusText = safeStatus === 'pending' ? '대기' :
+                            safeStatus === 'approved' ? '승인' : '거부';
+          const workerName = escapeHtml(request.worker_name || '알 수 없음');
+          const typeName = escapeHtml(request.vacation_type_name || request.type_name || '알 수 없음');
+          const reasonText = escapeHtml(request.reason || '-');
+          const daysUsed = parseFloat(request.days_used) || 0;
 
           return `
             <tr>
-              <td><strong>${request.worker_name || '알 수 없음'}</strong></td>
-              <td>${request.vacation_type_name || request.type_name || '알 수 없음'}</td>
-              <td>${request.start_date}</td>
-              <td>${request.end_date}</td>
-              <td>${request.days_used}일</td>
+              <td><strong>${workerName}</strong></td>
+              <td>${typeName}</td>
+              <td>${escapeHtml(request.start_date || '-')}</td>
+              <td>${escapeHtml(request.end_date || '-')}</td>
+              <td>${daysUsed}일</td>
               <td>
                 <span class="status-badge ${statusClass}">
                   ${statusText}
                 </span>
               </td>
-              <td style="max-width: 200px; overflow: hidden; text-overflow: ellipsis; white-space: nowrap;" title="${request.reason || '-'}">
-                ${request.reason || '-'}
+              <td style="max-width: 200px; overflow: hidden; text-overflow: ellipsis; white-space: nowrap;" title="${reasonText}">
+                ${reasonText}
               </td>
               ${showActions ? renderActionButtons(request, actionType) : ''}
             </tr>
@@ -118,14 +124,15 @@ function renderVacationRequests(requests, containerId, showActions = false, acti
  * 액션 버튼 렌더링
  */
 function renderActionButtons(request, actionType) {
+  const safeRequestId = parseInt(request.request_id) || 0;
   if (actionType === 'approval' && request.status === 'pending') {
     return `
       <td>
         <div style="display: flex; gap: 0.5rem;">
-          <button class="btn-small btn-success" onclick="approveVacationRequest(${request.request_id})" title="승인">
+          <button class="btn-small btn-success" onclick="approveVacationRequest(${safeRequestId})" title="승인">
             ✓
           </button>
-          <button class="btn-small btn-danger" onclick="rejectVacationRequest(${request.request_id})" title="거부">
+          <button class="btn-small btn-danger" onclick="rejectVacationRequest(${safeRequestId})" title="거부">
             ✗
           </button>
         </div>
@@ -134,7 +141,7 @@ function renderActionButtons(request, actionType) {
   } else if (actionType === 'delete' && request.status === 'pending') {
     return `
       <td>
-        <button class="btn-small btn-danger" onclick="deleteVacationRequest(${request.request_id})" title="삭제">
+        <button class="btn-small btn-danger" onclick="deleteVacationRequest(${safeRequestId})" title="삭제">
           삭제
         </button>
       </td>