Harden web UI auth, input handling, and SD path validation

- Add optional Basic Auth with NVS-backed credentials and STA/AP flags; protect status, wifi, history, and download routes

- Stop pre-filling WiFi/MQTT/Web UI password fields; keep stored secrets on blank and add clear-password checkboxes

- Add HTML escaping + URL encoding helpers and apply to user-controlled strings; add unit test

- Harden /sd/download path validation (prefix, length, dotdot, slashes) and log rejections

- Enforce protocol version in LoRa receive and release GPIO14 before SD init

- Update README security, SD, and GPIO sharing notes

src/wifi_manager.cpp

@@ -1,4 +1,5 @@
 #include "wifi_manager.h"
+#include "config.h"
 #include <WiFi.h>
 #include <esp_wifi.h>
 
@@ -10,9 +11,6 @@ void wifi_manager_init() {
 
 bool wifi_load_config(WifiMqttConfig &config) {
   config.valid = prefs.getBool("valid", false);
-  if (!config.valid) {
-    return false;
-  }
   config.ssid = prefs.getString("ssid", "");
   config.password = prefs.getString("pass", "");
   config.mqtt_host = prefs.getString("mqhost", "");
@@ -21,6 +19,11 @@ bool wifi_load_config(WifiMqttConfig &config) {
   config.mqtt_pass = prefs.getString("mqpass", "");
   config.ntp_server_1 = prefs.getString("ntp1", "pool.ntp.org");
   config.ntp_server_2 = prefs.getString("ntp2", "time.nist.gov");
+  config.web_user = prefs.getString("webuser", WEB_AUTH_DEFAULT_USER);
+  config.web_pass = prefs.getString("webpass", WEB_AUTH_DEFAULT_PASS);
+  if (!config.valid) {
+    return false;
+  }
   return config.ssid.length() > 0 && config.mqtt_host.length() > 0;
 }
 
@@ -34,6 +37,8 @@ bool wifi_save_config(const WifiMqttConfig &config) {
   prefs.putString("mqpass", config.mqtt_pass);
   prefs.putString("ntp1", config.ntp_server_1);
   prefs.putString("ntp2", config.ntp_server_2);
+  prefs.putString("webuser", config.web_user);
+  prefs.putString("webpass", config.web_pass);
   return true;
 }