Harden CSRF/CSP and add hash version upgrades

wwwroot/js/suggestions-ui.js

@@ -6,7 +6,6 @@ import { setupCardVisualHover, triggerCelebration } from "./effects.js";
 import { renderAdminLinker } from "./admin-ui.js";
 import { getUiRuntime } from "./ui-runtime.js";
 import {
-    cssEscapeUrl,
     escapeHtml,
     isLinked,
     linkedPeerTitles,
@@ -95,7 +94,7 @@ export function buildCard(
         : "";
     const visual =
         hasImage && safeShot
-            ? `<button class="card-visual" data-img="${safeShot}" aria-label="${t("card.openScreenshot")}" style="background-image:url('${cssEscapeUrl(safeShot)}')"></button>`
+            ? `<button class="card-visual has-image" data-img="${escapeHtml(safeShot)}" aria-label="${t("card.openScreenshot")}"><img class="card-visual-image" src="${escapeHtml(safeShot)}" alt="" loading="lazy" decoding="async" /></button>`
             : `<div class="card-visual"></div>`;
     const hasPlayers = s.minPlayers || s.maxPlayers;
     const players = hasPlayers