4.1-nightly-2026-05-16

fix: escape gravatarUrl in client-side comment rendering

Escape commentData.gravatarUrl with escapeHtml() before interpolating it
into the comment img src attribute, matching how the username is already
handled. The URL is server-generated so this is hardening for
consistency rather than a fix for an exploitable issue.

Document why insertAdjacentHTML is safe here (escaped username/URL,
server-sanitized comment body) and annotate the line for the scanner.