fix: address security and quality issues from code review

Security fixes:
- Fix XSS in Atom feed: escape user-supplied URLs in HTML content
- Wrap signup request approval in a transaction to prevent
  partial state on crash (user created but request still pending)
- Stop leaking internal error messages to admin UI
- Add request body size limit on API import endpoint
- Log SetMustResetPassword errors instead of silently discarding

Correctness fixes:
- Handle errors from API fave update/delete instead of returning
  success on failure
- Use actual data timestamp for feed <updated> instead of
  time.Now() (improves HTTP caching)
- Replace hardcoded 10000 export limit with named constant
  (maxExportFaves = 100000)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/handler/admin.go

@@ -101,8 +101,9 @@ func (h *Handler) handleAdminResetPassword(w http.ResponseWriter, r *http.Reques
 		return
 	}
 
-	// Force password reset on next login by setting the flag back.
-	h.deps.Users.SetMustResetPassword(id, true)
+	if err := h.deps.Users.SetMustResetPassword(id, true); err != nil {
+		slog.Error("set must-reset-password error", "error", err)
+	}
 
 	// Invalidate all sessions for this user.
 	if delErr := h.deps.Sessions.DeleteAllForUser(id); delErr != nil {
@@ -252,7 +253,7 @@ func (h *Handler) handleAdminSignupRequestAction(w http.ResponseWriter, r *http.
 	case "approve":
 		if err := h.deps.SignupRequests.Approve(id, admin.ID); err != nil {
 			slog.Error("approve signup request error", "error", err)
-			h.adminRequestsFlash(w, r, "Noe gikk galt: "+err.Error(), "error")
+			h.adminRequestsFlash(w, r, "Noe gikk galt ved godkjenning.", "error")
 			return
 		}
 		h.adminRequestsFlash(w, r, "Forespørsel godkjent. Brukeren må endre passord ved første innlogging.", "success")