markdown-novel-viewer

Likely non-malicious parsing/navigation logic, but it has significant security weaknesses: it directly injects markdown-derived values (e.g., phase names, plan name, next/prev labels) into returned HTML without escaping (high XSS risk). It also resolves markdown-provided file/link targets with `path.resolve` without confining them to the intended directory, which can enable path traversal or unintended file access if the downstream `/view` route does not strictly validate paths.