Merge commit from fork

* Security: prevent XSS with storage path template rendering

* Security: prevent XSS svg uploads

* Security: force attachment disposition for logo

* Add suggestions from code review

* Improve SVG validation with allowlist for tags and attributes

src-ui/src/app/components/manage/management-list/management-list.component.html

@@ -68,6 +68,8 @@
             <td scope="row" [ngClass]="{ 'd-none d-sm-table-cell' : column.hideOnMobile }">
               @if (column.rendersHtml) {
                 <div [innerHtml]="column.valueFn.call(null, object) | safeHtml"></div>
+              } @else if (column.monospace) {
+                <span class="font-monospace">{{ column.valueFn.call(null, object) }}</span>
               } @else {
                 {{ column.valueFn.call(null, object) }}
               }

src-ui/src/app/components/manage/management-list/management-list.component.ts

@@ -53,6 +53,8 @@ export interface ManagementListColumn {
   rendersHtml?: boolean
 
   hideOnMobile?: boolean
+
+  monospace?: boolean
 }
 
 @Directive()

src-ui/src/app/components/manage/storage-path-list/storage-path-list.component.ts

@@ -48,10 +48,10 @@ export class StoragePathListComponent extends ManagementListComponent<StoragePat
       {
         key: 'path',
         name: $localize`Path`,
-        rendersHtml: true,
         hideOnMobile: true,
+        monospace: true,
         valueFn: (c: StoragePath) => {
-          return `<code>${c.path?.slice(0, 49)}${c.path?.length > 50 ? '...' : ''}</code>`
+          return `${c.path?.slice(0, 49)}${c.path?.length > 50 ? '...' : ''}`
         },
       },
     ]