fix: escape URL in href attribute and display text in url-link-converter

The convertUrlsToLinks function places matched URLs directly into HTML
without escaping. While the regex excludes most HTML metacharacters,
the & character can appear in query strings and should be escaped as
& for valid HTML. Apply escapeHtml() to both the href attribute
value and the display text for defense-in-depth.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: FuturMix

src/lib/utils/url-link-converter.js

@@ -62,9 +62,10 @@ export function convertUrlsToLinks(text) {
 		const beforeUrl = textWithPlaceholders.slice(lastIndex, match.index);
 		result += escapeHtml(beforeUrl);
 
-		// Add the URL as a clickable link
+		// Add the URL as a clickable link (escape in both href and display text)
 		const url = match[0];
-		result += `<a href="${url}" target="_blank" rel="noopener noreferrer">${url}</a>`;
+		const escapedUrl = escapeHtml(url);
+		result += `<a href="${escapedUrl}" target="_blank" rel="noopener noreferrer">${escapedUrl}</a>`;
 
 		lastIndex = httpsUrlRegex.lastIndex;
 	}