fix: stored XSS in generate_cml_map (hotfix 2)

[cchwala]

• Use json.dumps() for cml_ids_json instead of str/replace to prevent JSON injection in the inline <script> block
• Use json.dumps() for JS onclick argument and markupsafe.escape() for HTML display context in popup_html to prevent stored XSS via cml_id

Closes webserver-hotfix-plan.md Fix 2

[codecov]

Codecov Report

❌ Patch coverage is 40.00000% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 78.88%. Comparing base (37cbc64) to head (9bd21a6).
⚠️ Report is 2 commits behind head on main.

Files with missing lines	Patch %	Lines
webserver/main.py	40.00%	3 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main      #39      +/-   ##
==========================================
- Coverage   78.93%   78.88%   -0.05%     
==========================================
  Files          24       24              
  Lines        2317     2321       +4     
==========================================
+ Hits         1829     1831       +2     
- Misses        488      490       +2     

Flag	Coverage Δ
mno_simulator	86.72% <ø> (ø)
parser	85.48% <ø> (ø)
webserver	49.09% <40.00%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.