Prevent script execution when viewing SVG files

A cross-site scripting vulnerability allows remote attackers to attach
maliciously crafted SVG files to issue reports or bugnotes. When a user
or an admin clicks on the attachment, file_download.php will it open the
SVG in a browser tab instead of downloading it as a file, causing the
javascript to execute. This risk is mitigated by MantisBT's default
Content Security Policy, which prevents execution of inline scripts.

This fixes the issue by forcing download as attachment for files of
image/svg+xml mime type.

Devendra Bhatla and Febin Mon Saji febinrev811@gmail.com both and
independently reported this vulnerability.

Fixes 0030384, CVE-2022-33910