Security related fixes

[bobvandevijver]

No description provided.

[Copilot]

Pull request overview

This PR introduces security hardening by enabling Symfony trusted host validation by default and replacing ad-hoc SVG JavaScript checks with a dedicated SVG sanitization library during uploads.

Changes:

• Add framework.trusted_hosts configuration driven by SYMFONY_TRUSTED_HOSTS (including a YAML migration).
• Replace the SVG upload validation callback with enshrined/svg-sanitize-based sanitization that rewrites the temporary upload.
• Document and announce the security-related changes in .env and CHANGELOG.md.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
yaml-migrations/m_2026-05-14-framework.yaml	Adds a migration to introduce trusted hosts config into config/packages/framework.yaml on upgrade.
src/Controller/Backend/Async/UploadController.php	Switches SVG validation to library-based sanitization and writes sanitized SVG back to the temp file.
config/packages/framework.yaml	Enables framework.trusted_hosts with an env-driven pattern.
composer.json	Adds the enshrined/svg-sanitize dependency used by the upload controller.
CHANGELOG.md	Adds a 6.1.3 security release entry describing the changes.
.env	Adds guidance (commented) for setting SYMFONY_TRUSTED_HOSTS.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.