Fix CSP inline-script/style, Dutch lang attrs, Swedish/French UI localisation

[Copilot]

PR review on the 2026-03-05 evening analysis batch flagged four issues: 'unsafe-inline' in CSP, English UI strings on the Swedish page, a mismatched <h1> on the French page, and English body content in the Dutch page lacking lang attributes.

CSP hardening + theme-init extraction (all 14 files)

• Removed 'unsafe-inline' from script-src and style-src
• Extracted the anti-flash inline snippet into js/theme-init.js; all pages now reference it externally
• Removed media="print" onload="this.media='all'" inline event handler from the Orbitron font link

<!-- before -->
<meta http-equiv="Content-Security-Policy" content="... script-src 'self' 'unsafe-inline' https:; style-src 'self' 'unsafe-inline' ...">
<link rel="stylesheet" href="https://fonts.googleapis.com/...Orbitron..." media="print" onload="this.media='all'">
<script>(function(){var key='riksdagsmonitor-theme';...})();</script>

<!-- after -->
<meta http-equiv="Content-Security-Policy" content="... script-src 'self' https:; style-src 'self' https://fonts.googleapis.com ...">
<link rel="stylesheet" href="https://fonts.googleapis.com/...Orbitron...">
<script src="../js/theme-init.js"></script>

Swedish UI localisation (sv.html)

• Skip-link, theme-toggle aria-label/title/data-label-*, and language-switcher aria-label were all English; now Swedish ("Hoppa till huvudinnehåll", "Byt till mörkt/ljust läge", "Språkversioner")

French <h1> alignment (fr.html)

• <h1> was missing the "Analyse du soir : " prefix present in <title>, OG, Twitter, and JSON-LD headline

Dutch content language tagging (nl.html)

• Body paragraphs, English <h2> headings, and both list groups are in English while the page is declared lang="nl"; added lang="en" at paragraph, heading, and <ul> level so assistive tech switches pronunciation correctly

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.