fix(sanitize): prevent XSS via SVG animate values attribute

[beliarh]

Found that values attribute in SVG <animate> tags wasn't being checked for dangerous URL schemes like javascript: or data:. This could be exploited like this:

<svg>
  <animate xlink:href="#xss" attributeName="href" values="javascript:alert(1)" />
  <a id="xss"><text>Click</text></a>
</svg>

The issue is that allowedSchemesAppliedToAttributes already has from and to for animate elements, but values was missing.

Changes

Added values to the list of attributes that get validated.
Now it works the same way as href, from, and to - extracts the scheme and blocks if it's not in the whitelist.
Regular animation values like "0;1;0" or "red;green;blue" work fine since they don't have a scheme prefix.
Only stuff like javascript:, data:, vbscript: gets filtered out.

Tests

Added two test cases to xss.test.ts - one with javascript: and one with data: scheme.
Both get properly sanitized now (the values attribute is removed from the output).