fix: preserve mention data attributes through HTML sanitization

Filament's sanitizer strips data-id, data-label and data-char from
mention spans, breaking both display (unstyled @mention) and editing
(@-only shown in RichEditor). Register a package-scoped sanitizer that
explicitly allows these attributes on span elements.

Also fix double-replacement bug in renderBodyWithMentions() where both
the rich-editor regex and str_replace fallback could run on the same
mention, producing nested styled spans.

tests/Feature/ContentSanitizationTest.php

@@ -155,6 +155,26 @@ it('strips onclick handler from elements', function () {
     expect($comment->body)->toContain('click me');
 });
 
+it('preserves mention data attributes in comment body', function () {
+    $user = User::factory()->create();
+    $post = Post::factory()->create();
+
+    $body = '<span data-type="mention" data-id="1" data-label="max" data-char="@">@max</span>';
+
+    $comment = Comment::factory()->create([
+        'commentable_id' => $post->id,
+        'commentable_type' => $post->getMorphClass(),
+        'commenter_id' => $user->getKey(),
+        'commenter_type' => $user->getMorphClass(),
+        'body' => $body,
+    ]);
+
+    expect($comment->body)->toContain('data-type="mention"');
+    expect($comment->body)->toContain('data-id="1"');
+    expect($comment->body)->toContain('data-label="max"');
+    expect($comment->body)->toContain('data-char="@"');
+});
+
 it('sanitizes content submitted through livewire component', function () {
     $user = User::factory()->create();
     $post = Post::factory()->create();