Fix XSS: escape user_name and created_at in reply DOM injection

submitReply() built a replyDiv.innerHTML template literal using
data.user_name (API response) without escaping — an attacker-controlled
display name could inject arbitrary HTML. Fix: wrap all API-sourced
string values in lt.escHtml() within the template.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

assets/js/ticket.js

@@ -1374,10 +1374,10 @@ function submitReply(parentCommentId) {
                     <div class="thread-line"></div>
                     <div class="comment-content">
                         <div class="comment-header">
-                            <span class="comment-user">${data.user_name}</span>
-                            <span class="comment-date">${data.created_at}</span>
+                            <span class="comment-user">${lt.escHtml(data.user_name)}</span>
+                            <span class="comment-date">${lt.escHtml(data.created_at)}</span>
                             <div class="comment-actions">
-                                ${newDepth < 3 ? `<button type="button" class="comment-action-btn reply-btn" data-action="reply-comment" data-comment-id="${data.comment_id}" data-user="${data.user_name}" title="Reply">↩</button>` : ''}
+                                ${newDepth < 3 ? `<button type="button" class="comment-action-btn reply-btn" data-action="reply-comment" data-comment-id="${data.comment_id}" data-user="${lt.escHtml(data.user_name)}" title="Reply">↩</button>` : ''}
                                 <button type="button" class="comment-action-btn edit-btn" data-action="edit-comment" data-comment-id="${data.comment_id}" title="Edit">[ EDIT ]</button>
                                 <button type="button" class="comment-action-btn delete-btn" data-action="delete-comment" data-comment-id="${data.comment_id}" title="Delete">[ DEL ]</button>
                             </div>