Don't store mermaid diagrams in innerHTML

Using jQuery's `.html()` method stores the given string as `innerHTML`, which enables injection of arbitrary DOM elements.
Using `.text()` instead mitigates this issue.

Signed-off-by: David Mehren <git@herrmehren.de>

public/js/extra.js

@@ -386,7 +386,7 @@ export function finishView (view) {
 
       window.mermaid.mermaidAPI.parse($value.text())
       $ele.addClass('mermaid')
-      $ele.html($value.text())
+      $ele.text($value.text())
       window.mermaid.init(undefined, $ele)
     } catch (err) {
       var errormessage = err