fix(security): 전체 서비스 보안 점검 — XSS·인가·토큰·헤더·에러마스킹 일괄 수정

Phase 1 CRITICAL XSS:
- marked.parse() → DOMPurify.sanitize() (system3 ai-assistant, issues-management)
- toast innerHTML에 escapeHtml 적용 (system1 api-base, system3 common-header)
- onclick 핸들러 → data 속성 + addEventListener (system2 issue-detail)

Phase 2 HIGH 인가:
- getUserBalance 본인확인 추가 (tksupport vacationController)

Phase 3 HIGH 토큰+CSP:
- localStorage 토큰 저장 제거 — 쿠키 전용 (7개 서비스)
- unsafe-eval CSP 제거 (system1 security.js)

Phase 4 MEDIUM:
- nginx 보안 헤더 추가 (8개 서비스)
- 500 에러 메시지 마스킹 (5개 API)
- path traversal 방지 (system3 file_service.py)
- cookie fallback 데드코드 제거 (4개 auth.js)
- /login/form rate limiting 추가 (sso-auth)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

system3-nonconformance/web/static/js/components/common-header.js

@@ -641,7 +641,8 @@ class CommonHeader {
         }`;
         
         const icon = type === 'success' ? 'fa-check-circle' : 'fa-exclamation-circle';
-        toast.innerHTML = `<i class="fas ${icon} mr-2"></i>${message}`;
+        const _esc = s => { const d = document.createElement('div'); d.textContent = s; return d.innerHTML; };
+        toast.innerHTML = `<i class="fas ${icon} mr-2"></i>${_esc(message)}`;
         
         document.body.appendChild(toast);
         

system3-nonconformance/web/static/js/core/auth-manager.js

@@ -72,14 +72,14 @@ class AuthManager {
      * SSO 토큰 가져오기 (쿠키 우선, localStorage 폴백)
      */
     _getToken() {
-        return this._cookieGet('sso_token') || localStorage.getItem('sso_token');
+        return this._cookieGet('sso_token');
     }
 
     /**
      * SSO 사용자 정보 가져오기 (쿠키 우선, localStorage 폴백)
      */
     _getUser() {
-        const ssoUser = this._cookieGet('sso_user') || localStorage.getItem('sso_user');
+        const ssoUser = this._cookieGet('sso_user');
         if (ssoUser && ssoUser !== 'undefined' && ssoUser !== 'null') {
             try { return JSON.parse(ssoUser); } catch(e) {}
         }

system3-nonconformance/web/static/js/pages/ai-assistant.js

@@ -196,7 +196,7 @@ function appendChatMessage(role, content, sources) {
     const contentDiv = document.createElement('div');
     if (role === 'ai' && typeof marked !== 'undefined') {
         contentDiv.className = 'text-sm prose prose-sm max-w-none';
-        contentDiv.innerHTML = marked.parse(content);
+        contentDiv.innerHTML = DOMPurify.sanitize(marked.parse(content));
     } else {
         contentDiv.className = 'text-sm whitespace-pre-line';
         contentDiv.textContent = content;

system3-nonconformance/web/static/js/pages/issues-management.js

@@ -990,7 +990,7 @@ async function aiSuggestSolution() {
         const raw = data.suggestion || '';
         content.dataset.raw = raw;
         if (typeof marked !== 'undefined') {
-            content.innerHTML = marked.parse(raw);
+            content.innerHTML = DOMPurify.sanitize(marked.parse(raw));
         } else {
             content.textContent = raw;
         }
@@ -1030,7 +1030,7 @@ async function aiSuggestSolutionInline(issueId) {
         const raw = data.suggestion || '';
         content.dataset.raw = raw;
         if (typeof marked !== 'undefined') {
-            content.innerHTML = marked.parse(raw);
+            content.innerHTML = DOMPurify.sanitize(marked.parse(raw));
         } else {
             content.textContent = raw;
         }