Add a section on HTML and JavaScript in post content

[dknauss]

Summary

Closes #52. Adds an <h4> subsection under Further Security Risks and Concerns titled HTML and JavaScript in Post Content, placed alongside the existing XXE and SSRF entries.

Does not remove the brief existing OWASP A3 mention, but after #88 merges, that reference will be eliminated, and a shorter OWASP summary mention will appear under the A05:2025 — Injection paragraph. That new paragraph still contains a brief unfiltered_html/KSES sentence:

Content submitted by untrusted users is filtered through the KSES library … while trusted roles with the unfiltered_html capability … are permitted to publish raw HTML and JavaScript by design.

The new section explains that the unfiltered_html capability is an intentional design choice rather than a vulnerability, covering:

• Which roles have the capability by default. (Administrators and editors on single-site, Super Admins on Multisite.)
• What KSES does for content created by Author and Contributor roles.
• How site owners can revoke unfiltered_html per role when their threat model requires it, and that hosts and security plugins often do this by default.

The framing matches @johnbillion's note in #52 that this is the most common subject of invalid reports received by the security team — the section is informational, not alarmist.

Notes for the reviewer

• Self-contained, no new footnotes. (Avoids a numbering collision with Add a Transport Security (HTTPS) section #90 if both are merged.)
• Independent of Updated OWASP Top 10 section to 2025 #88 and Add a Transport Security (HTTPS) section #90. Can merge in any order. If Updated OWASP Top 10 section to 2025 #88 lands first, this section complements the one-line mention added there.
• The committed text was generated, reviewed, and refined with Claude and Codex LLMs.