fix: add type and data-ajax-nonce to button kses allowlist (#879)

The setup wizard requirements table HTML passes through wp_kses()
twice (field-note.php and default.php templates). The button element's
kses allowlist only permitted disabled, name, and value — stripping
type="button" and data-ajax-nonce from the Network Activate button.

Without type="button", the click submits the parent form instead of
triggering the AJAX handler. Without data-ajax-nonce, the JS reads
undefined and the server rejects the request with bad-nonce.

PR #875 correctly moved the JS to an external file and changed the
nonce field to _ajax_nonce, but the button attributes were still
stripped before reaching the browser.

Author: superdav42

inc/functions/helper.php

@@ -491,9 +491,11 @@ function wu_kses_allowed_html(): array {
 		'value'    => true,
 	];
 	$allowed_html['button']   = [
-		'disabled' => true,
-		'name'     => true,
-		'value'    => true,
+		'type'            => true,
+		'disabled'        => true,
+		'name'            => true,
+		'value'           => true,
+		'data-ajax-nonce' => true,
 	];
 	$allowed_html['dynamic']  = [
 		':template' => true,