Fix FileNotFoundError when uploading an SVG icon

The sanitize_svg_icon before_validation callback called icon.download,
but Active Storage uploads pending blobs in before_save — so at
before_validation time the file only existed in the request tempfile,
not at the configured storage path. Read from the pending attachable
(UploadedFile / IO hash) instead. Guards against the recursive callback
that icon.attach would otherwise trigger by tracking the cleaned
attachable by object identity. Bumps to 0.13.1.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

test/models/application_test.rb

@@ -1,7 +1,32 @@
 require "test_helper"
 
 class ApplicationTest < ActiveSupport::TestCase
-  # test "the truth" do
-  #   assert true
-  # end
+  test "sanitizes an SVG icon uploaded via UploadedFile (regression for FileNotFoundError)" do
+    app = applications(:kavita_app)
+
+    svg = %(<svg xmlns="http://www.w3.org/2000/svg"><script>alert(1)</script><path d="M0 0"/></svg>)
+    tempfile = Tempfile.new(["icon", ".svg"]).tap do |t|
+      t.write(svg)
+      t.rewind
+    end
+    uploaded = ActionDispatch::Http::UploadedFile.new(
+      tempfile: tempfile,
+      filename: "icon.svg",
+      type: "image/svg+xml"
+    )
+
+    # Previously raised ActiveStorage::FileNotFoundError because the
+    # before_validation callback called icon.download before the blob was
+    # uploaded to disk.
+    assert_nothing_raised do
+      app.update!(icon: uploaded)
+    end
+
+    cleaned = app.icon.download
+    refute_match(/<script/i, cleaned)
+    assert_match(/<path/, cleaned)
+  ensure
+    tempfile&.close
+    tempfile&.unlink
+  end
 end