Remove HTML escaping from config environment variables

The /config endpoint no longer applies html.escape to BACKEND_API_URL and AUTH_ENABLED environment variables. This change ensures the values are returned as-is, which is more appropriate for non-HTML config data.

Author: Fr4nc3

src/frontend/frontend_server.py

@@ -37,8 +37,8 @@ async def serve_index():
 
 @app.get("/config")
 async def get_config():
-    backend_url = html.escape(os.getenv("BACKEND_API_URL", "http://localhost:8000"))
-    auth_enabled = html.escape(os.getenv("AUTH_ENABLED", "false"))
+    backend_url = os.getenv("BACKEND_API_URL", "http://localhost:8000")
+    auth_enabled = os.getenv("AUTH_ENABLED", "false")
     backend_url = backend_url + "/api"
 
     config = {
@@ -53,11 +53,17 @@ async def serve_app(full_path: str):
     # Remediation: normalize and check containment before serving
     file_path = os.path.normpath(os.path.join(BUILD_DIR, full_path))
     # Block traversal and dotfiles
-    if not file_path.startswith(BUILD_DIR) or ".." in full_path or "/." in full_path or "\\." in full_path:
+    if (
+        not file_path.startswith(BUILD_DIR)
+        or ".." in full_path
+        or "/." in full_path
+        or "\\." in full_path
+    ):
         return FileResponse(INDEX_HTML)
     if os.path.isfile(file_path):
         return FileResponse(file_path)
     return FileResponse(INDEX_HTML)
 
+
 if __name__ == "__main__":
     uvicorn.run(app, host="127.0.0.1", port=3000, access_log=False, log_level="info")