text renders literal & in comments and writeups

[ddjjdd640]

When users post comments or writeup text containing special characters like &, the site sometimes displays literal HTML entities (for example &) instead of the original character.

Example: https://crackmes.one/crackme/699da9a00b6d36e727710a49

• Submitted text:
  CCCCCChCCCCiCM&CCCCCCCGCCCCCCX#CCKCCC9CCCCCCCCCCCCCCCCCCCCmVC*CC
• Displayed on website:
  CCCCCChCCCCiCM&CCCCCCCGCCCCCCX#CCKCCC9CCCCCCCCCCCCCCCCCCCCmVC*CC

Issue appears to be double escaping:

1. Input is escaped before storing:

• app/controllers/comment.py (leave_comment): comment_text = bleach.clean(request.form.get('comment', ''))
• app/controllers/solution.py (upload_solution_post): info = bleach.clean(request.form.get('info', ''))
• Similar pattern also exists for crackme text fields in app/controllers/crackme.py

2. Output is escaped again during rendering:

• Jinja autoescape in templates (e.g. {{ solution.info }}, {{ comment.info }})
• app/services/view.py filter render_mentions explicitly calls escape(text) before returning Markup

A raw & can become:

• on write: &
• on render escape: &
• browser then shows literal &

I would fix is this way... Let me know.

1. Stop HTML escaping these plain-text user fields at submit time (comments/writeup info).
2. Keep escaping at render time (Jinja autoescape and render_mentions escaping logic).

rendering still escapes unsafe HTML correctly