[Codex] fix(frontend): sanitize inline SVG icon content before v-html render

[Micsi]

Upstream Tracking

• Upstream PR: [Codex] fix(frontend): sanitize inline SVG icon content before v-html render #557

Motivation

• The frontend previously injected stored SVG icon content into the DOM using v-html without sanitization, which creates a stored XSS vector when authenticated users upload crafted SVGs and nodes reference them via svg:{name}.
• The fix centralizes sanitization at the icon normalization boundary so icon content is safe before it is cached and rendered by VisuIcon while preserving existing UI behavior.

Description

• Updated normalizeSvg in frontend/src/composables/useIcons.ts to parse SVG with DOMParser and return an empty string for non-<svg> roots.
• Removed executable/embeddable elements from the parsed SVG (script, foreignObject, iframe, object, embed, audio, video) before returning content.
• Stripped inline event-handler attributes (names starting with on) and removed dangerous URL-bearing attributes (href, xlink:href, src) when they use javascript:, data:, or external http(s) schemes, and preserved the prior root width/height stripping logic so CSS sizing remains unchanged.
• Left existing call sites (VisuIcon, VisuTree, NodeOverview, Breadcrumb) untouched and perform sanitization centrally in the icons composable.

Testing

• Ran the frontend typecheck successfully with cd frontend && npm run typecheck and the command completed without errors.

---

Codex Task

[Micsi]

🔄 Promotion-Update aus dem Fork

Diese Upstream-PR wurde in dieser Session mit dem Stand aus Micsi#44 synchronisiert.

Vorgenommene Änderungen

• Beschreibung synchronisiert
• Assignee gesetzt/ergänzt: @Micsi
• Reviewer angefragt: @abeggled

Aktueller Commit-Stand aus dem Fork

• fix(frontend): sanitize inline svg icons before rendering
• docs(release): note SVG sanitization fix in release notes
• fix(frontend): harden SVG sanitizer against root/URL bypasses

Bitte den aktualisierten Stand für das Review verwenden.