The snippets.ts refactor correctly added escapeHTML() to the preview
for XSS protection. Update test to expect:
- HTML entities escaped (<div> → &lt;div&gt;)
- Newlines converted to <br/>