Remove all innerHTML in js
ref: #44 ref: https://developer.mozilla.org/en-US/docs/Web/API/Element/innerHTML
innerHTML is insecure and requires the insecure CSP script-src unsafe-inline. Used appx. 150 times in the js.
Step 1: Where the "HTML" is really just plain text, use textContent instead.
Step 2: Where we're really inserting HTML, that's harder. To be researched.