SECURITY: Fixes for main (#28137)

* SECURITY: Update default allowed iframes list

Change the default iframe url list to all include 3 slashes.

* SECURITY: limit group tag's name length

Limit the size of a group tag's name to 100 characters.

Internal ref - t/130059

* SECURITY: Improve sanitization of SVGs in Onebox

---------

Co-authored-by: Blake Erickson <o.blakeerickson@gmail.com>
Co-authored-by: Régis Hanol <regis@hanol.fr>
Co-authored-by: David Taylor <david@taylorhq.com>

db/migrate/20240610150449_limit_tag_group_name_length.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+class LimitTagGroupNameLength < ActiveRecord::Migration[7.0]
+  def change
+    DB.exec <<~SQL
+      UPDATE tag_groups 
+      SET name = LEFT(name, 100)
+      WHERE LENGTH(name) > 100
+    SQL
+
+    change_column :tag_groups, :name, :string, limit: 100
+  end
+end