feat(health): 为所有 DTO 添加 sanitize 防止存储型 XSS

覆盖 patient/health_data/appointment/follow_up/consultation/doctor
6 个 DTO 模块共 14 个请求结构体，在 handler 层统一调用 sanitize。

crates/erp-health/src/handler/patient_handler.rs

@@ -64,6 +64,8 @@ where
     S: Clone + Send + Sync + 'static,
 {
     require_permission(&ctx, "health.patient.manage")?;
+    let mut req = req;
+    req.sanitize();
     let result = patient_service::create_patient(
         &state, ctx.tenant_id, Some(ctx.user_id), req,
     )
@@ -97,7 +99,7 @@ where
 {
     require_permission(&ctx, "health.patient.manage")?;
     let version = req.version;
-    let update = UpdatePatientReq {
+    let mut update = UpdatePatientReq {
         name: req.name,
         gender: req.gender,
         birth_date: req.birth_date,
@@ -112,6 +114,7 @@ where
         status: req.status,
         verification_status: req.verification_status,
     };
+    update.sanitize();
     let result = patient_service::update_patient(
         &state, ctx.tenant_id, id, Some(ctx.user_id), update, version,
     )
@@ -188,6 +191,8 @@ where
     S: Clone + Send + Sync + 'static,
 {
     require_permission(&ctx, "health.patient.manage")?;
+    let mut req = req;
+    req.sanitize();
     let result = patient_service::create_family_member(
         &state, ctx.tenant_id, id, Some(ctx.user_id), req,
     )
@@ -207,13 +212,14 @@ where
 {
     require_permission(&ctx, "health.patient.manage")?;
     let version = req.version;
-    let update = FamilyMemberReq {
+    let mut update = FamilyMemberReq {
         name: req.name,
         relationship: req.relationship,
         phone: req.phone,
         birth_date: req.birth_date,
         notes: req.notes,
     };
+    update.sanitize();
     let result = patient_service::update_family_member(
         &state, ctx.tenant_id, _patient_id, member_id, Some(ctx.user_id), update, version,
     )