Enable Jinja2 autoescaping (#200)

- Enable Jinja2 autoescape by default in the template environment.
- Use json.dumps to safely inject sso_name into JavaScript context.
- Fix linting issue (line too long) in injected_auth_page.py.
- Update tests to verify escaping and safe injection.

---------

Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
Co-authored-by: werdnum <271070+werdnum@users.noreply.github.com>

tests/test_hass_webserver.py

@@ -149,3 +149,4 @@ async def test_frontend_injection(hass: HomeAssistant, hass_client):
     text = await resp.text()
 
     assert "<script src='/auth/oidc/static/injection.js" in text
+    assert "window.sso_name = \"OpenID Connect (SSO)\";" in text

tests/test_view_template.py

@@ -15,8 +15,13 @@ async def test_real_template_render():
     """Test that view template can render an real existing template."""
 
     renderer = AsyncTemplateRenderer()
-    rendered = await renderer.render_template("welcome.html")
+    await renderer.fetch_templates()
+    rendered = await renderer.render_template(
+        "welcome.html", name="<script>alert(1)</script>"
+    )
     assert "<!DOCTYPE html>" in rendered
+    assert "&lt;script&gt;alert(1)&lt;/script&gt;" in rendered
+    assert "<script>alert(1)</script>" not in rendered
 
 
 @pytest.mark.asyncio