SECURITY: Don't allow embedded application/xml in SVG's

Authored by csteipp.

Description

SECURITY: Don't allow embedded application/xml in SVG's

Fix for iSEC-WMF1214-11 and issue reported by Cure 53, which got
around our blacklist on embedded href targets. Use a whitelist instead.

Bug: T85850
Change-Id: I0cf9df4883994072029a2eda1fce8acb39a8f6e9

Details