Fix remaining frontend security issues (3 medium, 2 low)

- Escape user-input port number in app-selector innerHTML
- Replace inline onclick with addEventListener in backup history (HTML entity decode bypass)
- Add Content-Security-Policy meta tag with script hash
- Replace document.write with textContent for footer year
- Filter __proto__/constructor/prototype in Object.assign calls

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

status/index.html

@@ -8,6 +8,7 @@
   <meta http-equiv="Cache-Control" content="no-cache, no-store, must-revalidate" />
   <meta http-equiv="Pragma" content="no-cache" />
   <meta http-equiv="Expires" content="0" />
+  <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'sha256-6JZtsKK/PZthh+stCmmCvC2QxCiyk6SwZCBjXE+kYr0='; style-src 'self' 'unsafe-inline'; img-src 'self' https://cdn.jsdelivr.net data:; connect-src 'self' https://api.open-meteo.com https://geocoding-api.open-meteo.com; font-src 'self'; object-src 'none'; base-uri 'self'; form-action 'self'">
 
   <link rel="icon" href="/assets/dashcaddy-favicon.ico" sizes="any">
   <link rel="icon" type="image/png" sizes="192x192" href="/assets/icon-192.png">
@@ -534,13 +535,15 @@
           if (el) el.style.display = 'none';
         }
       }
+      var yr = document.getElementById('footer-year');
+      if (yr) yr.textContent = new Date().getFullYear();
     })();
   </script>
 
   <!-- Clock rendering is handled by the bundled clock.js module -->
 
   <footer class="dashcaddy-footer">
-    <span class="footer-copy">&copy; <script>document.write(new Date().getFullYear())</script></span>
+    <span class="footer-copy">&copy; <span id="footer-year"></span></span>
     <img src="/assets/sami7777-logo.png" alt="samiahmed7777" class="footer-logo">
   </footer>