Motivation

• The ValueDisplay widget began rendering imported SVG icon markup with v-html, creating a stored XSS sink when the icons API returns raw uploaded SVG.
• The intent is to eliminate the XSS vector while preserving the existing widget behavior and icon selection UI by sanitizing icons before they reach v-html.

Description

• Replaced the previous normalizeSvg approach with a sanitizeSvg implementation in frontend/src/composables/useIcons.ts that parses the SVG via DOMParser and returns a cleaned root SVG string.
• The sanitizer removes executable/HTML-capable elements (script, foreignObject), strips inline event-handler attributes (on*), and removes javascript: payloads from href/xlink:href attributes.
• The sanitizer also removes fixed width/height attributes to preserve the original CSS-controlled sizing behavior, and the icon cache now stores sanitized output via svgCache[icon.name] = sanitizeSvg(icon.content).
• No changes were made to widget templates or the icons upload/list API in this patch; sanitization is applied client-side at the composable layer before any v-html usage.

Testing

• Ran type checking with npm --prefix frontend run typecheck (which runs vue-tsc --noEmit) and it completed successfully.

Codex Task