category_fetcher: reject XML responses with DOCTYPE/ENTITY declarations

User-configurable sites could send XXE or billion-laughs payloads
via tag category API responses. Reject any XML body containing
<!DOCTYPE or <!ENTITY before passing to ET.fromstring.

booru_viewer/core/api/category_fetcher.py

@@ -593,6 +593,9 @@ def _parse_tag_response(resp) -> list[tuple[str, int]]:
         return []
     out: list[tuple[str, int]] = []
     if body.startswith("<"):
+        if "<!DOCTYPE" in body or "<!ENTITY" in body:
+            log.warning("XML response contains DOCTYPE/ENTITY, skipping")
+            return []
         try:
             root = ET.fromstring(body)
         except ET.ParseError as e: