refactor(icon): bind icon as CSS mask

[spike-rabbit]

This avoids potential XSS risks, by injecting the icon only as CSS mask-image.

---

• I confirm that this MR follows the contribution guidelines.

[gemini-code-assist]

Code Review

This pull request is a great step forward in improving security by removing innerHTML and DomSanitizer when rendering icons, opting for a safer CSS mask approach. The changes are well-implemented across the affected components and services. I've identified a bug where icons containing double quotes in their SVG data might not render correctly, and I've provided suggestions to fix this. Overall, excellent work on this refactoring.

[gemini-code-assist]

The current implementation of parseDataSvgIcon does not handle double quotes within the icon string, which can lead to broken image URLs. If an icon's SVG data contains a double quote, it will prematurely terminate the string within the url() function, causing the icon to fail to render. To fix this, you should escape any double quotes within the icon string.

Suggested change

	const parseDataSvgIcon = (icon: string): string => `url("${icon}")`;
	const parseDataSvgIcon = (icon: string): string => `url("${icon.replace(/"/g, '\\"')}")`;

[gemini-code-assist]

The current implementation of parseDataSvgIcon does not handle double quotes within the icon string, which can lead to broken image URLs. If an icon's SVG data contains a double quote, it will prematurely terminate the string within the url() function, causing the icon to fail to render. To fix this, you should escape any double quotes within the icon string.

Suggested change

	return `url("${icon}")`;
	return `url("${icon.replace(/"/g, '\\"')}")`;

[github-actions]

[github-actions]

Documentation.
Examples.
Playwright report.

Coverage Reports:

• element-ng
• element-translate-ng

[spike-rabbit]

@dr-itz do you have any opinion here? I don't remember, why we did not implement it that way in the beginning.