fix: custom menu security hardening and code quality improvements

- Add admin menu permission check in CustomPageView (visibility + role)
- Sanitize SVG content with DOMPurify before v-html rendering (XSS prevention)
- Decouple router.go from dto package using anonymous struct
- Consolidate duplicate parseCustomMenuItems into dto.ParseCustomMenuItems
- Enhance menu item validation (count, length, ID uniqueness limits)
- Add audit logging for purchase_subscription and custom_menu_items changes
- Update API contract test to include custom_menu_items field

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

frontend/src/components/common/ImageUpload.vue

@@ -11,7 +11,7 @@
           v-if="mode === 'svg' && modelValue"
           class="text-gray-600 dark:text-gray-300 [&>svg]:h-full [&>svg]:w-full"
           :class="innerSizeClass"
-          v-html="modelValue"
+          v-html="sanitizedValue"
         ></span>
         <!-- Image mode: show as img -->
         <img
@@ -71,6 +71,7 @@
 <script setup lang="ts">
 import { ref, computed } from 'vue'
 import Icon from '@/components/icons/Icon.vue'
+import { sanitizeSvg } from '@/utils/sanitize'
 
 const props = withDefaults(defineProps<{
   modelValue: string
@@ -97,6 +98,10 @@ const error = ref('')
 
 const acceptTypes = computed(() => props.mode === 'svg' ? '.svg' : 'image/*')
 
+const sanitizedValue = computed(() =>
+  props.mode === 'svg' ? sanitizeSvg(props.modelValue ?? '') : ''
+)
+
 const previewSizeClass = computed(() => props.size === 'sm' ? 'h-14 w-14' : 'h-20 w-20')
 const innerSizeClass = computed(() => props.size === 'sm' ? 'h-7 w-7' : 'h-12 w-12')
 const placeholderSizeClass = computed(() => props.size === 'sm' ? 'h-5 w-5' : 'h-8 w-8')