This PR fixes an error in User.php where escapeshellcmd was used while building internal app URLs/paths.

What changed

• Replaced escapeshellcmd(...) usage in repr_load_react_app() and setup_cra_application_files().
• Sanitized app names with sanitize_file_name(...) when reading appname from config.
• Kept path/URL construction as plain string concatenation for local file paths and plugin asset URLs.

Why

• escapeshellcmd is meant for shell command strings, not for filesystem/URL path construction.
• Using it here can trigger undefined function issues in this context and is not the right sanitization strategy.

Impact

• Resolves the runtime/static-analysis issue around escapeshellcmd.
• Improves correctness and safety of app path handling.
• No functional changes intended beyond path construction/sanitization behavior.