Enable Jinja2 autoescaping (#200)

- Enable Jinja2 autoescape by default in the template environment.
- Use json.dumps to safely inject sso_name into JavaScript context.
- Fix linting issue (line too long) in injected_auth_page.py.
- Update tests to verify escaping and safe injection.

---------

Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
Co-authored-by: werdnum <271070+werdnum@users.noreply.github.com>

custom_components/auth_oidc/endpoints/injected_auth_page.py

@@ -1,5 +1,6 @@
 """Injected authorization page, replacing the original"""
 
+import json
 import logging
 from functools import partial
 from homeassistant.components.http import HomeAssistantView, StaticPathConfig
@@ -61,12 +62,9 @@ async def frontend_injection(hass: HomeAssistant, sso_name: str) -> None:
     frontend_code = await read_file(frontend_path)
 
     # Inject JS and register that route
-    frontend_code = frontend_code.replace(
-        "</body>",
-        "<script src='/auth/oidc/static/injection.js?v=3'></script><script>window.sso_name = '"
-        + sso_name
-        + "';</script></body>",
-    )
+    injection_js = "<script src='/auth/oidc/static/injection.js?v=3'></script>"
+    sso_name_js = f"<script>window.sso_name = {json.dumps(sso_name)};</script>"
+    frontend_code = frontend_code.replace("</body>", f"{injection_js}{sso_name_js}</body>")
 
     await hass.http.async_register_static_paths(
         [

custom_components/auth_oidc/views/loader.py

@@ -54,7 +54,9 @@ class AsyncTemplateRenderer:
         if template_name not in templates:
             raise ValueError(f"Template '{template_name}' not found.")
 
-        env = Environment(loader=DictLoader(templates), enable_async=True)
+        env = Environment(
+            loader=DictLoader(templates), enable_async=True, autoescape=True
+        )
         template = env.get_template(template_name)
 
         # Render template