[Codex] security: reject active/scriptable SVGs on icon import (prevent stored XSS)

[Micsi]

Motivation

• The config import and icon upload paths accepted attacker-controlled SVG bytes after a shallow <svg> check, and stored SVGs were later returned verbatim and rendered with v-html, enabling stored XSS.
• The change aims to block scriptable/active SVG constructs at ingestion so unsafe SVG content cannot be written to disk or later served to clients.

Description

• Added a server-side sanitizer _sanitize_svg in obs/api/v1/icons.py that rejects SVGs containing active/scriptable constructs such as <script>, <foreignObject>, inline on*= handlers, and javascript:/data: links.
• Applied the sanitizer to the dedicated icon upload endpoint (/api/v1/icons/import) for both single-file and ZIP-member flows so only safe SVG bytes are written.
• Applied the same sanitizer to the config restore flow in obs/api/v1/config.py so base64-decoded icons from config imports are validated before being stored.
• Added unit tests in tests/unit/test_icons.py that assert acceptance of minimal SVG and rejection of malicious patterns.

Testing

• Ran pytest -q tests/unit/test_icons.py and all unit tests passed (28 passed).
• Attempted to run the full integration suite, but integration tests could not run in this environment due to a missing pytest_asyncio dependency (so integration tests were not executed here).

---

Codex Task