Fix XSS, CSRF, input validation, and related security issues

tests/conftest.py

@@ -15,6 +15,7 @@ def app():
         SECRET_KEY = "test-secret"
         SQLALCHEMY_TRACK_MODIFICATIONS = False
         TESTING = True
+        WTF_CSRF_ENABLED = False      # disable CSRF validation in tests
         HOMEASSISTANT_URL = None      # prevent HA poller from starting in tests
         HOMEASSISTANT_API_KEY = None