Limit XInclude processing to shortcut keys files.

This patch fixes a security vulnerability when using the batch or command-line processing features of Inkscape. The flaw allows an author of a malicious SVG file to trivially specify the href of a local or remote file to bring in as a <text> body or other element. The exact impact to security will depend a lot on the context in which Inkscape is being run, but in the worst-case scenario this can lead to leaking of private information, credentials, etc. Formally, this is a Local File Inclusion (LFI) or Server Side Request Forgery (SSRF) vulnerability vector.

XInclude processing is retained for shortcut "keys" files only, which seems to have been the original intent behind the commit that introduced the vulnerability: e6eee384

Using xinclude could be placed behind a command-line flag, but IMO xinclude should be off by default for SVG files.

To work around the new off by default, pre-processing the xinclude tags outside of Inkscape is an option. Inkscape isn't going to preserve the xinclude tags when round-tripping documents through the editor anyway, so I think pre-processing is a reasonable thing to expect users to do.

I've taken this code for a manual testing spin. I focused on the shortcuts preferences panel it seems to work OK.

I'm looking into getting a CVE# assigned for this issue.

If the way I've implemented this fix really doesn't work, or if there are some nits I can address, please let me know and I can try my best to re-work it.