This patch fixes a security vulnerability when using the batch or
command-line processing features of Inkscape. The flaw allows an author
of a malicious SVG file to trivially specify the href of a local or
remote file to bring in as a `<text>` body or other element. The exact impact
to security will depend a lot on the context in which inkscape is being
run, but in the worst-case scenario this can lead to leaking of private
information, credentials, etc. Formally, this is a Local File Inclusion
(LFI) and Server Side Request Forgery (SSRF) vulnerability vector.

XInclude processing is retained for shortcut "keys" files _only_, which
seems to have been the original intent behind the commit that introduced
the vulnerability:
inkscape/inkscape@e6eee384