fix: Replace innerHTML with textContent to fix security scanner false positive

[Copilot]

📑 Summary

Fixes CodeQL/GitHub Advanced Security false positive flagging innerHTML usage in demos/flowchart.html as a "high severity security vulnerability" (DOM text reinterpreted as HTML).

📏 Design Decisions

The changeTheme() function restores diagram source text that was originally captured via textContent. Since this is plain text mermaid syntax (not HTML), using textContent for restoration is semantically correct and eliminates the security warning.

- elem.innerHTML = source;
+ elem.textContent = source;

📋 Tasks

Make sure you

• 📖 have read the contribution guidelines
• 💻 have added necessary unit/e2e tests.
• 📓 have added documentation. Make sure MERMAID_RELEASE_VERSION is used for all new features.
• 🦋 If your PR makes a change that should be noted in one or more packages' changelogs, generate a changeset by running pnpm changeset and following the prompts. Changesets that add features should be minor and those that fix bugs should be patch. Please prefix changeset messages with feat:, fix:, or chore:.

Original prompt

Upstream toolchain complained about the innerHTML usage in the flowchart.html as a "high severity security vulnerability", which I think is a false positive. Please find a way to workaround the issue so that the PR can be upstreamed. cf. mermaid-js#7318

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.