symfony/ux-icons: XSS via unsanitized SVG content in local files and Iconify on-demand responses

An attacker can inject XSS payloads into inline SVG rendered by the `ux_icon()` Twig function because the output is marked `is_safe=['html']` and never escaped [ref_id=1]. Browsers execute `<script>` elements and `on*` event-handler attributes found inside inline SVG, making any unsanitized icon a vector for cross-site scripting [ref_id=1]. Concrete attack vectors include a malicious SVG icon pack from a third-party theme or downloaded icon set, or a controlled Iconify endpoint configured via `iconify.endpoint` (including a poisoned cache) [ref_id=1].

The `ux_icon()` Twig function is marked `is_safe=['html']`, so Twig never escapes its output, and `Icon::toHtml()` inlines the SVG source verbatim into the page [ref_id=1]. Two code paths were affected: `Icon::fromFile()` only stripped `<script>` elements that were direct children of `<svg>`, leaving nested scripts and all `on*` attributes untouched; the Iconify on-demand path (enabled by default) performed no sanitization at all on the remote JSON `body` field [ref_id=1].

The patch introduces an `IconFactory` class that centralizes sanitization across every icon source before an `Icon` object is created [patch_id=6640821]. The sanitizer removes script-capable elements (`script`, `foreignObject`, `iframe`, `object`, `embed`), SMIL animations targeting `on*`, `href`, or `xlink:href` attributes, CDATA sections, processing instructions, all `on*` attributes, and `javascript:`, `vbscript:`, and `data:text/html` URL schemes [ref_id=1]. `<style>` elements are kept for theming but have any handlers stripped, and icons that contain none of these constructs are byte-for-byte identical after sanitization [ref_id=1].