fix: validate parent_id in error path, rebuild Tailwind CSS

- Defensively parse parent_id in _render_htmx_error: coerce to int,
  fallback to main form if non-numeric or parent not found
- Rebuild Tailwind CSS to include new utility classes from templates
- Add test for tampered parent_id falling back to main form

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

apps/comments/views.py

@@ -121,15 +121,20 @@ def _comment_template_context(comment, article, request):
 class CommentCreateView(View):
     def _render_htmx_error(self, request, article, form):
         """Return error form partial for HTMX — swaps the form container itself."""
-        parent_id = request.POST.get("parent_id")
-        if parent_id:
-            parent = Comment.objects.filter(pk=parent_id, article=article).first()
-            ctx = {
-                "comment": parent, "page": article,
-                "turnstile_site_key": _turnstile_site_key(),
-                "reply_form_errors": form.errors,
-            }
-            return _add_vary_header(render(request, "comments/_reply_form.html", ctx))
+        raw_parent_id = request.POST.get("parent_id")
+        if raw_parent_id:
+            try:
+                parent_id = int(raw_parent_id)
+            except (ValueError, TypeError):
+                parent_id = None
+            parent = Comment.objects.filter(pk=parent_id, article=article).first() if parent_id else None
+            if parent:
+                ctx = {
+                    "comment": parent, "page": article,
+                    "turnstile_site_key": _turnstile_site_key(),
+                    "reply_form_errors": form.errors,
+                }
+                return _add_vary_header(render(request, "comments/_reply_form.html", ctx))
         ctx = {
             "comment_form": form, "page": article,
             "turnstile_site_key": _turnstile_site_key(),