[Security] Image in GUI can cause SVG XSS

### Description

SVG XSS is possible if a server that does not set up CSP properly provides a page that uses Babylonjs GUI.Image.

### Environment

1. Server doesn't set proper CSP
2. javascript in SVG

### Example
[SVG XSS example](https://playground.babylonjs.com/#JUQKPE)

#### localhost Server Code
```py
from flask import Flask
from flask_cors import CORS
import time

app = Flask(__name__)
CORS(app)

if __name__ == '__main__':
    app.run(host='0.0.0.0', port=54321)
```

![Image](https://github.com/user-attachments/assets/1fea871b-e725-43c1-bb72-05198188f477)

### Improvement

When Babylonjs' image loader parses svg, tags other than those related to svg should not be executed after parsing such as `<link>` or `<img>` tag

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[Security] Image in GUI can cause SVG XSS #16902

Description

Environment

Example

localhost Server Code

Improvement

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[Security] Image in GUI can cause SVG XSS #16902

Description

Description

Environment

Example

localhost Server Code

Improvement

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions