Function sanitizePlainText

Strip HTML tags from a user-supplied string to prevent XSS. Uses a multi-pass loop to handle nested tag reconstruction attempts (e.g. <scr<script>ipt>). Returns plain text — callers must apply escapeHtml() at their render sites so escaping happens exactly once.