fix: extend fetch_user error guard; escape HTML in login page

Move field-extraction inside the try/except in fetch_user so non-dict
responses from providers with empty profile_data_path (Gitea, GitHub)
raise OAuthError instead of an uncaught AttributeError. Apply
html.escape() to provider name, label, and logo URL in the login page.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

hbd/server/oauth.py

@@ -244,12 +244,11 @@ async def fetch_user(provider: ResolvedProvider, token: str) -> dict:
     try:
         for key in provider.profile_data_path:
             data = data.get(key, {})
+        avatar_field = provider.field_map.get("avatar")
+        return {
+            "login":      data.get(provider.field_map["username"], ""),
+            "full_name":  data.get(provider.field_map["full_name"], ""),
+            "avatar_url": data.get(avatar_field, "") if avatar_field else "",
+        }
     except AttributeError:
         raise OAuthError(f"Unexpected profile response structure from {provider.type}")
-
-    avatar_field = provider.field_map.get("avatar")
-    return {
-        "login":      data.get(provider.field_map["username"], ""),
-        "full_name":  data.get(provider.field_map["full_name"], ""),
-        "avatar_url": data.get(avatar_field, "") if avatar_field else "",
-    }