fix(security): 전체 서비스 보안 점검 — XSS·인가·토큰·헤더·에러마스킹 일괄 수정

Phase 1 CRITICAL XSS:
- marked.parse() → DOMPurify.sanitize() (system3 ai-assistant, issues-management)
- toast innerHTML에 escapeHtml 적용 (system1 api-base, system3 common-header)
- onclick 핸들러 → data 속성 + addEventListener (system2 issue-detail)

Phase 2 HIGH 인가:
- getUserBalance 본인확인 추가 (tksupport vacationController)

Phase 3 HIGH 토큰+CSP:
- localStorage 토큰 저장 제거 — 쿠키 전용 (7개 서비스)
- unsafe-eval CSP 제거 (system1 security.js)

Phase 4 MEDIUM:
- nginx 보안 헤더 추가 (8개 서비스)
- 500 에러 메시지 마스킹 (5개 API)
- path traversal 방지 (system3 file_service.py)
- cookie fallback 데드코드 제거 (4개 auth.js)
- /login/form rate limiting 추가 (sso-auth)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

system2-report/web/js/api-base.js

@@ -38,11 +38,11 @@ if ('serviceWorker' in navigator) {
    * SSO 토큰 가져오기 (쿠키 우선, localStorage 폴백)
    */
   window.getSSOToken = function() {
-    return cookieGet('sso_token') || localStorage.getItem('sso_token');
+    return cookieGet('sso_token');
   };
 
   window.getSSOUser = function() {
-    var raw = cookieGet('sso_user') || localStorage.getItem('sso_user');
+    var raw = cookieGet('sso_user');
     try { return raw ? JSON.parse(raw) : null; } catch(e) { return null; }
   };
 

system2-report/web/js/issue-detail.js

@@ -232,11 +232,15 @@ function renderPhotos(d) {
   gallery.innerHTML = photos.map(photo => {
     const fullUrl = photo.startsWith('http') ? photo : `${baseUrl}${photo}`;
     return `
-      <div class="photo-item" onclick="openPhotoModal('${fullUrl}')">
-        <img src="${fullUrl}" alt="첨부 사진">
+      <div class="photo-item" data-url="${escapeHtml(fullUrl)}">
+        <img src="${escapeHtml(fullUrl)}" alt="첨부 사진">
       </div>
     `;
   }).join('');
+
+  gallery.querySelectorAll('.photo-item[data-url]').forEach(el => {
+    el.addEventListener('click', () => openPhotoModal(el.dataset.url));
+  });
 }
 
 /**