security: svg xss fix

src/lib/components/common/SVGPanZoom.svelte

@@ -49,7 +49,45 @@
 
 <div bind:this={sceneParentElement} class="relative {className}">
 	<div bind:this={sceneElement} class="flex h-full max-h-full justify-center items-center">
-		{@html svg}
+		{@html DOMPurify.sanitize(svg, {
+			USE_PROFILES: { svg: true, svgFilters: true }, // allow <svg>, <defs>, <filter>, etc.
+			WHOLE_DOCUMENT: false,
+			ADD_TAGS: ['style', 'foreignObject'], // include foreignObject if using HTML labels
+			ADD_ATTR: [
+				'class',
+				'style',
+				'id',
+				'data-*',
+				'viewBox',
+				'preserveAspectRatio',
+				// markers / arrows
+				'markerWidth',
+				'markerHeight',
+				'markerUnits',
+				'refX',
+				'refY',
+				'orient',
+				// hrefs (for gradients, markers, etc.)
+				'href',
+				'xlink:href',
+				// text positioning
+				'dominant-baseline',
+				'text-anchor',
+				// pattern / clip / mask units
+				'clipPathUnits',
+				'filterUnits',
+				'patternUnits',
+				'patternContentUnits',
+				'maskUnits',
+				// a11y niceties
+				'role',
+				'aria-label',
+				'aria-labelledby',
+				'aria-hidden',
+				'tabindex'
+			],
+			SANITIZE_DOM: true
+		})}
 	</div>
 
 	{#if content}