Merge commit from fork

* Security: prevent XSS with storage path template rendering

* Security: prevent XSS svg uploads

* Security: force attachment disposition for logo

* Add suggestions from code review

* Improve SVG validation with allowlist for tags and attributes

src/paperless/urls.py

@@ -1,5 +1,3 @@
-from pathlib import Path
-
 from allauth.account import views as allauth_account_views
 from allauth.mfa.base import views as allauth_mfa_views
 from allauth.socialaccount import views as allauth_social_account_views
@@ -13,7 +11,6 @@ from django.urls import re_path
 from django.utils.translation import gettext_lazy as _
 from django.views.decorators.csrf import ensure_csrf_cookie
 from django.views.generic import RedirectView
-from django.views.static import serve
 from drf_spectacular.views import SpectacularAPIView
 from drf_spectacular.views import SpectacularSwaggerView
 from rest_framework.routers import DefaultRouter
@@ -45,6 +42,7 @@ from documents.views import UnifiedSearchViewSet
 from documents.views import WorkflowActionViewSet
 from documents.views import WorkflowTriggerViewSet
 from documents.views import WorkflowViewSet
+from documents.views import serve_logo
 from paperless.consumers import StatusConsumer
 from paperless.views import ApplicationConfigurationViewSet
 from paperless.views import DisconnectSocialAccountView
@@ -267,11 +265,7 @@ urlpatterns = [
         # TODO: with localization, this is even worse! :/
     ),
     # App logo
-    re_path(
-        r"^logo(?P<path>.*)$",
-        serve,
-        kwargs={"document_root": Path(settings.MEDIA_ROOT) / "logo"},
-    ),
+    path("logo/<path:filename>", serve_logo, name="app_logo"),
     # allauth
     path(
         "accounts/",