XSS in enshrined/svg-sanitize due to mishandled script and data values in attributes