Add DOMPurify for XSS protection in Markdown rendering

Includes DOMPurify library to sanitize HTML output when converting Markdown, preventing potential XSS vulnerabilities.

Per this review comment:

#544 (comment)

Author: alexander-yevsyukov

site/assets/js/pages/oss-licenses.js

@@ -30,8 +30,9 @@
  * Loads markdown content from the dependency report files
  * via Spine public repositories.
  *
- * The script requires the `https://github.com/showdownjs/showdown`
- * library to be loaded on the page.
+ * The script requires both the `https://github.com/showdownjs/showdown`
+ * Markdown converter and the `https://github.com/cure53/DOMPurify`
+ * sanitizer to be loaded on the page before this script runs.
  *
  * See `layouts/_partials/oss-licenses/licenses.html` for usage.
  */
@@ -78,8 +79,7 @@ $(
                 clickedElement.attr(loadedAttr, 'loading');
                 const processLoadedContent = function (data) {
                     const html = converter.makeHtml(data);
-                    const sanitized = typeof DOMPurify !== 'undefined' ? DOMPurify.sanitize(html) : html;
-                    mdDestinationEl.html(sanitized);
+                    mdDestinationEl.html(DOMPurify.sanitize(html));
                     clickedElement.attr(loadedAttr, 'true');
                     makeCollapsibleTitle(mdDestinationEl, clickedElRepoName);
                 };

site/layouts/_partials/oss-licenses/licenses.html

@@ -46,6 +46,12 @@
     </div>
 {{ end }}
 
+<!-- HTML sanitizer required by `assets/js/pages/oss-licenses.js`
+to prevent XSS when injecting remote Markdown as HTML. -->
+<script src="https://cdn.jsdelivr.net/npm/dompurify@3/dist/purify.min.js"
+        type="text/javascript"
+        charset="utf-8"></script>
+
 <!-- The JavaScript Markdown to HTML converter.
 Used in the `assets/js/pages/oss-licenses.js`. -->
 <script src="https://cdn.rawgit.com/showdownjs/showdown/1.9.0/dist/showdown.min.js"