GHSA-jf3g-4gwg-4h66

### Summary An authenticated commenter could store HTML in row comments that executed as script when other users hovered over the comment in the expanded form view.

### Details The comment write paths persisted the raw comment body with no server-side sanitisation; the expanded-form sidebar then rendered the stored body and fed its `data-tooltip` attribute to Tippy with `allowHTML: true`. Even when the editor stripped script tags at write time, attribute-level payloads re-entered the DOM as live HTML on hover.

### Impact Stored Cross-Site Scripting against any user who views the affected row. Script runs in the NocoDB origin with the victim's session and can read the auth JWT from `localStorage`. Authentication and comment permission are required.

### Credit This issue was reported by [@DavidCarliez](https://github.com/DavidCarliez). It was independently reported by [@Mouhebbenelwafi](https://github.com/Mouhebbenelwafi).