fix(gcode_viewer): close CodeQL XSS + useless-escape alerts on PR #1263

  - slider-shim.js: HTML-attribute-escape opts.id before interpolation
    (only caller passes a constant, but defends against future taint)
  - prettygcode.js: drop useless \\? escape inside [...] character class

gcode_viewer/js/prettygcode.js

@@ -845,7 +845,7 @@ $(function () {
 
         //util function
         urlParam = function (name) {
-            var results = new RegExp('[\?&]' + name + '=([^&#]*)').exec(window.location.href);
+            var results = new RegExp('[?&]' + name + '=([^&#]*)').exec(window.location.href);
             if (results == null) {
                 return null;
             }

gcode_viewer/js/slider-shim.js

@@ -29,11 +29,20 @@
                     value: 0,
                 }, typeof optsOrCmd === 'object' ? optsOrCmd : {});
 
-                // Build the DOM
+                // Build the DOM. opts.id is HTML-attribute-escaped before
+                // interpolation so a future caller passing a tainted id can't
+                // break out of the attribute (CodeQL: js/html-constructed-from-input).
+                function escapeAttr(s) {
+                    return String(s).replace(/&/g, '&')
+                                    .replace(/"/g, '"')
+                                    .replace(/'/g, ''')
+                                    .replace(/</g, '&lt;')
+                                    .replace(/>/g, '&gt;');
+                }
                 var isVertical = opts.orientation === 'vertical';
                 var trackHtml =
                     '<div class="slider' + (isVertical ? ' slider-vertical' : '') + '"' +
-                    (opts.id ? ' id="' + opts.id + '"' : '') + '>' +
+                    (opts.id ? ' id="' + escapeAttr(opts.id) + '"' : '') + '>' +
                     '<div class="slider-track"><div class="slider-selection"></div></div>' +
                     '<div class="slider-handle round">0</div>' +
                     '</div>';