Remove deprecated usage of inline SVG

[LukasMasuch]

Describe your changes

Since this PR last year, almost all SVGs used in st.image get rendered by using the img tag instead of injecting the SVG into the HTML DOM. As far as I remember, the only reason we kept markup was to still support xlink functionality for external links. However, xlink has been long deprecated (see here), and usage is not recommended.

Here are a couple more arguments for why we should remove the SVG markup injection:

• Rendering SVGs in an img tag is considered XSS save (as far as I know). On the other hand, injecting SVG into the HTML DOM is quite problematic from a security perspective, even though we try to sanitize the SVG.
• SiS clears out the markup field for the stated security concerns, so it will likely never be supported in SiS.
• We can remove an unmaintained dependency: react-html-parser
• All images rendered by st.image behave the same by using the img tag, the usage of markup did not correctly adapt to the other st.image parameters (width, use_column_width, and fullscreen mode).

But this change might also break a couple of apps that include external resources within the SVG. For example, this would not work anymore since it requires an external image:

    st.image(
        """<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="100" height="100">
        <clipPath id="clipCircle">
            <circle r="25" cx="25" cy="25"/>
        </clipPath>
        <image href="https://avatars.githubusercontent.com/karriebear" width="50" height="50" clip-path="url(#clipCircle)"/>
    </svg>
    """
    )

This PR also removes the xssSanitizeSvg for SVG data URIs. The reason is that this isn't very effective since an attacker could easily circumvent this, e.g., by using base64 or URL-encoding the SVG data URI or by embedding the image via markdown:

# This will be sanitized:

st.image(
    """
<svg width="100" height="100" xmlns="http://www.w3.org/2000/svg">
<script>alert("BOOOM");</script>
  <circle cx="50" cy="50" r="40" stroke="black" stroke-width="3" fill="red" />
</svg>
    """
)

# These two render the same SVGs, but do not get sanitized:

st.image(
"data:image/svg+xml;base64,PHN2ZyB3aWR0aD0iMTAwIiBoZWlnaHQ9IjEwMCIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4KPHNjcmlwdD5hbGVydCgiQk9PT00iKTs8L3NjcmlwdD4KICA8Y2lyY2xlIGN4PSI1MCIgY3k9IjUwIiByPSI0MCIgc3Ryb2tlPSJibGFjayIgc3Ryb2tlLXdpZHRoPSIzIiBmaWxsPSJyZWQiIC8+Cjwvc3ZnPg=="
)

st.markdown(
    """
![alt text](data:image/svg+xml,%3Csvg%20width%3D%22100%22%20height%3D%22100%22%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%0A%3Cscript%3Ealert%28%22BOOOM%22%29%3B%3C%2Fscript%3E%0A%20%20%3Ccircle%20cx%3D%2250%22%20cy%3D%2250%22%20r%3D%2240%22%20stroke%3D%22black%22%20stroke-width%3D%223%22%20fill%3D%22red%22%20%2F%3E%0A%3C%2Fsvg%3E)
"""
)

Script in SVG is not executed when used with img tags, so this should be anyways safe without requiring sanitation.

This PR also converts all SVGs to base64 on the backend to prevent encoding issues (e.g. #3882).

GitHub Issue Link (if applicable)

Closes: #3882

Testing Plan

• This PR doesn't add any new logic, so only some changes in the existing tests.

---

Contribution License Agreement

By submitting this pull request you agree that all contributions to this project are made under the Apache 2.0 license.

[vdonato]

This PR also removes the xssSanitizeSvg for SVG data URIs. The reason is that this isn't very effective since an attacker could easily circumvent this, e.g., by using base64 or URL-encoding the SVG data URI or by embedding the image via markdown:
...
Script in SVG is not executed when used with img tags, so this should be anyways safe without requiring sanitation.

This seems fine to me given that scripts embedded in SVG data URIs aren't executed, but I wonder if this is something we might want to run by ProdSec just to be extra-safe