fix: decomposed structure preview

app.py

@@ -222,16 +222,18 @@ def create_error_html(message: str) -> str:
 
 
 def create_svg_viewer_html(svg_content: str) -> str:
-    """Create SVG viewer HTML with XSS protection."""
-    # Basic sanitization - in production, use a proper SVG sanitizer
-    safe_svg = html.escape(svg_content).replace('&lt;', '<').replace('&gt;', '>')
+    """Create SVG viewer HTML."""
+    # Basic SVG validation - ensure it starts with <svg and ends with </svg>
+    svg_content = svg_content.strip()
+    if not svg_content.startswith('<svg') or not svg_content.endswith('</svg>'):
+        return create_error_html("Invalid SVG format")
     
     return f"""
     <div style='padding: 20px; background: #fff; border: 1px solid #eee; border-radius: 8px; display: block;'>
         <div style='display: block; align-items: center; margin-bottom: 10px;'>
         </div>
-        <div id='animation-container' style='min-height: 300px; display: block; justify-content: center; align-items: center; background: #fafafa; border-radius: 4px; padding: 20px;'>
-            {safe_svg}
+        <div id='animation-container' style='min-height: 300px; display: flex; justify-content: center; align-items: center; background: #fafafa; border-radius: 4px; padding: 20px;'>
+            {svg_content}
         </div>
     </div>
     """
@@ -320,8 +322,8 @@ def create_animation_preview(animation_desc: str, svg_content: str) -> tuple:
             f.write(html_content)
         print(f"Animation preview saved to: {html_path}")
 
-        # Create iframe HTML with XSS protection
-        safe_html_content = html.escape(html_content).replace('"', '&quot;')
+        # Create iframe HTML - only escape quotes for srcdoc attribute
+        safe_html_content = html_content.replace('"', '&quot;')
         preview_html = f"""
         <div style='padding: 20px; background: #fff; border: 1px solid #eee; border-radius: 8px; display: block;'>
             <div style='display: block; align-items: center; margin-bottom: 10px;'>