Stored XSS via Markdown image onerror in a comment field

The sanitizer allowed img tags but not their attributes — except onerror slipped through a parser quirk.

A permissive Markdown-to-HTML step ran before sanitization, and a parser edge case let an onerror handler survive. Fix: sanitize the final HTML with a strict allow-list (rehype-sanitize), never trust attribute filtering by denylist.