TASK-019: Fix XSS vulnerability in DICOM series display

- Add html.EscapeString() to series_desc when building Series struct
- Prevents JavaScript injection via malicious DICOM metadata

Security impact: XSS payloads in series descriptions now render as harmless text.

portal/api_client.go

@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"encoding/json"
 	"fmt"
+	"html"
 	"io"
 	"net/http"
 	"sort"
@@ -189,7 +190,7 @@ func fetchStudiesWithSeries(dossierHex string) ([]Study, error) {
 				for _, ser := range apiSeries {
 					s.Series = append(s.Series, Series{
 						ID:          ser.ID,
-						Description: ser.SeriesDesc,
+						Description: html.EscapeString(ser.SeriesDesc), // FIX TASK-019: XSS prevention
 						Modality:    ser.Modality,
 						SliceCount:  ser.SliceCount,
 					})