SVG Injection via Unsanitized Options in @dicebear/core and @dicebear/initials
SVG attribute values derived from user-supplied options (backgroundColor, fontFamily, textColor) were not XML-escaped before interpolation into SVG output. This could allow Cross-Site Scripting (XSS) when applications pass untrusted input to createAvatar() and serve the resulting SVG inline or with Content-Type: image/svg+xml.