fix(security): apply os.path.basename sanitizer + fix Unicode escapes + remaining review items

## CodeQL path-injection (pages_v3.py)
Switch from Path.name to os.path.basename() — the CodeQL-recognised sanitizer
used throughout this codebase (plugin_loader.py lines 74, 157).  All path
operations now use safe_id/safe_fn derived from os.path.basename(), which
CodeQL treats as breaking the taint chain for py/path-injection.

## XSS Unicode escaping (pages_v3.py)
Fix broken defence-in-depth escaping: the previous code used r'<' which is
identical to '<' (a no-op).  Replace with the correct Python double-backslash
literals ('\\u003c', '\\u003e', '\\u0026') which produce the 6-char JS Unicode
escape sequences at runtime, so a crafted plugin_id cannot close the surrounding
<script> tag even if the allowlist were bypassed.

## Nullable type normalization (plugin_config.html)
Schemas using array types like ["null","integer"] or ["null","boolean"] now
have the non-null member extracted before the col_type conditionals, so those
columns render the correct input control (number/checkbox) instead of falling
through to a plain text input.

## file-upload-single.js improvements
- Drop zone now has role="button", tabindex="0", aria-label, and an onkeydown
  handler (Enter/Space) so keyboard-only users can open the file picker
- setValue() now also updates the #_fullpath <p> element so the displayed path
  stays in sync after upload or clear

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

web_interface/static/v3/js/widgets/file-upload-single.js

@@ -90,7 +90,7 @@
                      </div>`;
             html += `<div class="flex-1 min-w-0">
                          <p id="${fieldId}_filename" class="text-xs text-gray-600 truncate">${escapeHtml(currentValue.split('/').pop() || '')}</p>
-                         <p class="text-xs text-gray-400">${escapeHtml(currentValue)}</p>
+                         <p id="${fieldId}_fullpath" class="text-xs text-gray-400">${escapeHtml(currentValue)}</p>
                      </div>`;
             html += `<button type="button"
                              onclick="window.LEDMatrixWidgets.getHandlers('file-upload-single').onClear('${fieldId}')"
@@ -99,12 +99,15 @@
                      </button>`;
             html += '</div>';
 
-            // Upload drop zone (always shown, acts as change button when value is set)
+            // Upload drop zone — keyboard accessible via tabindex + Enter/Space
             html += `<div id="${fieldId}_drop_zone"
                           class="border-2 border-dashed border-gray-300 rounded-lg p-3 text-center hover:border-blue-400 transition-colors cursor-pointer"
+                          role="button" tabindex="0"
+                          aria-label="${hasImage ? 'Replace image' : 'Upload image'}"
                           ondrop="window.LEDMatrixWidgets.getHandlers('file-upload-single').onDrop(event, '${fieldId}')"
                           ondragover="event.preventDefault()"
-                          onclick="document.getElementById('${fieldId}_file_input').click()">
+                          onclick="document.getElementById('${fieldId}_file_input').click()"
+                          onkeydown="if(event.key==='Enter'||event.key===' '){event.preventDefault();document.getElementById('${fieldId}_file_input').click();}">
                          <input type="file"
                                 id="${fieldId}_file_input"
                                 accept="${escapeHtml(allowedTypes)}"
@@ -151,6 +154,8 @@
                 if (thumbPlaceholder) thumbPlaceholder.style.display = 'none';
             }
             if (filename) filename.textContent = hasImage ? value.split('/').pop() : '';
+            const fullpath = document.getElementById(`${safeId}_fullpath`);
+            if (fullpath) fullpath.textContent = value || '';
 
             // Update drop zone hint text
             const hint = dropZone ? dropZone.querySelector('p') : null;