Fix: apply rate limiting to save and submit operations

[Daetha]

Protection from spamming save and/or submit buttons by bots or very angry humans.

Changes

• Security Logic Decoupling: Outsourced all security-related functions into a centralized api/security.php.
• CSRF Management: Refactored csrf_token.php to act as a lightweight endpoint that fetches tokens via the new security API.
• Frontend Integration: Added hidden security fields to Modals. The JavaScript layer now passes these parameters via postData:

  // Security field references
  this.$csrfTokenField = $('#input-submit-csrf-token');
  this.$timeSpentField = $('#input-submit-time-spent');
  this.$honeypotField = $('input[name="website"]');

Notes for Reviewer

Checks for save and submit happen independently (Dual rate limiting)

Dual rate limiting - Each operation type has its own independent rate limit:
send_xml_file.php rate-limits submits to 10/hour (action: 'submit')
save_data.php rate-limits saves to 300/hour (action: 'save')

When a submit happens:
Rate limit check 1: send_xml_file.php checks 'submit' action (10/hour)
Rate limit check 2: save_data.php checks 'save' action (300/hour) when internally called

Both checks pass independently; they don't consume each other's quota.

Checklist

• My code follows the style guide.
• I have self-reviewed my code.
• I added comments for hard-to-understand code.
• If applicable, PHP code is documented using PHPDoc.
• If applicable, JavaScript code is documented using JSDoc.
• If needed, the ELMO Guide has been updated.
• If needed, the README has been updated.
• If needed, the API documentation has been updated.
• If a new feature was added or a bug fixed, the changelog has been updated.
• My changes do not create new warnings in the test browser console.
• I have added unit tests that cover my code.
• All new and existing unit tests pass locally.
• All new and existing automated unit tests pass in the pull request.
• If applicable, Playwright tests have been updated and new tests added.
• All new and existing automated Playwright tests pass in the pull request.
• I ensured the changes meet accessibility guidelines.

Known Issues

The protection in this PR and in feedback-protection is based on IP, which can be problematic if a research group is using the same router. A better solution would be session+IP limiting.