Comments are POSTed to /api/comments and then fetched back and rendered with innerHTML — no escaping on write or read, so a stored payload runs for every later viewer.
Trigger: post <img src=x onerror=alert(1)> then reload — it fires for everyone.
Detected by: browser_cdp_xss_payload_inject, browser_cdp_dom_xss_trace