security: OWASP audit and hardening (v1.0.8)

- Archive XSS: wrap get_the_archive_title/description with wp_kses_post()
  in ContextBuilder to sanitize Editor-editable term content rendered via |raw
- Comment fields: esc_html() on comment_author, esc_url() on comment_author_url
  at data source; template updated to output pre-escaped URL via |raw
- dark-mode.js: whitelist localStorage value against ['dark','light'] to
  prevent attribute injection from third-party script tampering
- TwigService: add is_safe=>html to esc_html/esc_attr/esc_url Twig functions
  to prevent double-encoding if autoescape is ever enabled
- Add .markdownlint.json (disable MD024 duplicate headings, MD013 line length)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

inc/Twig/TwigService.php

@@ -73,10 +73,12 @@ class TwigService
             return _n($single, $plural, $number, $domain);
         }));
 
-        // Escaping functions.
-        $this->twig->addFunction(new TwigFunction('esc_html', 'esc_html'));
-        $this->twig->addFunction(new TwigFunction('esc_attr', 'esc_attr'));
-        $this->twig->addFunction(new TwigFunction('esc_url', 'esc_url'));
+        // Escaping functions — marked is_safe so Twig does not double-escape their output.
+        // These functions already return HTML-safe strings; without is_safe, enabling
+        // Twig autoescape would double-encode the result (e.g. & → &).
+        $this->twig->addFunction(new TwigFunction('esc_html', 'esc_html', ['is_safe' => ['html']]));
+        $this->twig->addFunction(new TwigFunction('esc_attr', 'esc_attr', ['is_safe' => ['html']]));
+        $this->twig->addFunction(new TwigFunction('esc_url', 'esc_url', ['is_safe' => ['html']]));
 
         // WordPress head/footer output (captured via output buffering).
         $this->twig->addFunction(new TwigFunction('wp_head', function (): string {