IMG-019: Missing SVG Sanitization

[murdore]

Summary

SVG files detected but not sanitized. SVG can contain JavaScript causing XSS.

Root Cause

Lines 244-250 detect SVG but don't sanitize script tags and event handlers.

Fix

Implement SVG sanitization removing script tags, event handlers, and javascript: URLs.

Acceptance Criteria

• [ ] Implement SVG sanitization or add security warning
• [ ] Remove script tags
• [ ] Remove event handlers (onclick, onload, etc.)
• [ ] Add configuration flag to allow/reject SVGs