feat: Add CSRF tokens to all JavaScript fetch calls and fix XSS

Security improvements across all JavaScript files:

CSRF Protection:
- assets/js/ticket.js - Added X-CSRF-Token header to 5 fetch calls
  (update_ticket.php x3, add_comment.php, assign_ticket.php)
- assets/js/dashboard.js - Added X-CSRF-Token to 8 fetch calls
  (update_ticket.php x2, bulk_operation.php x6)
- assets/js/settings.js - Added X-CSRF-Token to user preferences save
- assets/js/advanced-search.js - Added X-CSRF-Token to filter save/delete

XSS Prevention:
- assets/js/ticket.js:183-209 - Replaced insertAdjacentHTML() with safe
  DOM API (createElement/textContent) to prevent script injection in
  comment rendering. User-supplied data (user_name, created_at) now
  auto-escaped via textContent.

All state-changing operations now include CSRF token validation.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

assets/js/dashboard.js

@@ -276,7 +276,8 @@ function quickSave() {
     fetch('/api/update_ticket.php', {
         method: 'POST',
         headers: {
-            'Content-Type': 'application/json'
+            'Content-Type': 'application/json',
+            'X-CSRF-Token': window.CSRF_TOKEN
         },
         body: JSON.stringify(data)
     })
@@ -355,7 +356,8 @@ function saveTicket() {
     fetch('/api/update_ticket.php', {
         method: 'POST',
         headers: {
-            'Content-Type': 'application/json'
+            'Content-Type': 'application/json',
+            'X-CSRF-Token': window.CSRF_TOKEN
         },
         body: JSON.stringify({
             ticket_id: ticketId,
@@ -492,7 +494,10 @@ function bulkClose() {
 
     fetch('/api/bulk_operation.php', {
         method: 'POST',
-        headers: { 'Content-Type': 'application/json' },
+        headers: {
+            'Content-Type': 'application/json',
+            'X-CSRF-Token': window.CSRF_TOKEN
+        },
         body: JSON.stringify({
             operation_type: 'bulk_close',
             ticket_ids: ticketIds
@@ -593,7 +598,10 @@ function performBulkAssign() {
 
     fetch('/api/bulk_operation.php', {
         method: 'POST',
-        headers: { 'Content-Type': 'application/json' },
+        headers: {
+            'Content-Type': 'application/json',
+            'X-CSRF-Token': window.CSRF_TOKEN
+        },
         body: JSON.stringify({
             operation_type: 'bulk_assign',
             ticket_ids: ticketIds,
@@ -681,7 +689,10 @@ function performBulkPriority() {
 
     fetch('/api/bulk_operation.php', {
         method: 'POST',
-        headers: { 'Content-Type': 'application/json' },
+        headers: {
+            'Content-Type': 'application/json',
+            'X-CSRF-Token': window.CSRF_TOKEN
+        },
         body: JSON.stringify({
             operation_type: 'bulk_priority',
             ticket_ids: ticketIds,
@@ -800,15 +811,18 @@ function closeBulkStatusModal() {
 function performBulkStatusChange() {
     const status = document.getElementById('bulkStatus').value;
     const ticketIds = getSelectedTicketIds();
-    
+
     if (!status) {
         alert('Please select a status');
         return;
     }
-    
+
     fetch('/api/bulk_operation.php', {
         method: 'POST',
-        headers: { 'Content-Type': 'application/json' },
+        headers: {
+            'Content-Type': 'application/json',
+            'X-CSRF-Token': window.CSRF_TOKEN
+        },
         body: JSON.stringify({
             operation_type: 'bulk_status',
             ticket_ids: ticketIds,
@@ -885,10 +899,13 @@ function closeBulkDeleteModal() {
 
 function performBulkDelete() {
     const ticketIds = getSelectedTicketIds();
-    
+
     fetch('/api/bulk_operation.php', {
         method: 'POST',
-        headers: { 'Content-Type': 'application/json' },
+        headers: {
+            'Content-Type': 'application/json',
+            'X-CSRF-Token': window.CSRF_TOKEN
+        },
         body: JSON.stringify({
             operation_type: 'bulk_delete',
             ticket_ids: ticketIds