Harden block render escaping and validate attributes before GitHub API calls

[mathetos]

Related to #16

Summary

Hardens src/Block.php output escaping and attribute handling before GitHub API requests.

• Replace incorrect esc_html_e() usage on dynamic API values with esc_html(), esc_url(), and esc_attr() as appropriate
• Add sanitize_attributes() for profileName, repoUrl, mediaUrl, and related block fields before fetch/render
• Return consistent API error strings from fetchData() and detect them reliably in get_output_or_error()
• Guard profile repo list rendering when the repos fetch fails
• Escape profile header background URL and top-repo links/descriptions
• Add GitHub API request timeout and User-Agent header
• Hash transient key suffixes with md5() to avoid odd characters in option names

Test plan

• Insert repository block with default repo and confirm front-end output unchanged
• Insert profile block with username Octocat and confirm profile + repo list render
• Enter invalid repo path / username in editor and confirm block falls back safely without broken markup
• Trigger API error (bad repo) and confirm error notice renders escaped message