fix($sanitize): blacklist SVG `<use>` elements

The use element can reference external svg's (same origin) and can include
xlink javascript urls or foreign object that can execute xss.

This change disallows `<use>` elements in sanitized SVG markup.

An example of a malicious SVG document would be:

SVG to sanitize:
```
<svg><use xlink:href="test.svg#xss" /></svg>
```

External SVG file (test.svg)
```
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg xmlns:svg="http://www.w3.org/2000/svg"
   xmlns="http://www.w3.org/2000/svg" width="100"
   height="100"
   id="xss">
<a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="javascript:alert(1)">
  <circle cx="50" cy="50" r="40" stroke="black" stroke-width="3" fill="red" />
</a>
</svg>
```

Here the SVG to sanitize loads in the `test.svg` file via the `<use>` element.
The sanitizer is not able to parse this file, which contains malicious
executable mark-up.

This can only be taken advantage of if the external file is available via the
same origin restrictions in place.

Closes #13453

BREAKING CHANGE:

The `<use>` element is now removed from SVG passed to the `$sanitize` service.

This element is only used to import external SVG resources, which is a security
risk as the `$sanitize` service does not have access to the resource in order
to sanitize it.