Security patch release. Fixes CodeQL alerts #1 (incomplete string sanitization) and #2 (incomplete multi-character sanitization), strengthens tag-specific HTML URL handling, and adds adversarial Markdown security regression coverage. Marketplace publication requires publisher-owned vsce authentication and is not claimed by this release.