Add bandit, use to catch known vulnerable XML parsing (#28341)

* Add bandit to pre-commit and CI, use to catch known vulnerable XML parsing

* Use defusedxml instead of direct xml.etree to parse XML

* Move config to tests/bandit.yaml

.pre-commit-config.yaml

@@ -22,3 +22,12 @@ repos:
           - flake8-docstrings==1.5.0
           - pydocstyle==4.0.1
         files: ^(homeassistant|script|tests)/.+\.py$
+-   repo: https://github.com/PyCQA/bandit
+    rev: 1.6.2
+    hooks:
+      - id: bandit
+        args:
+          - --quiet
+          - --format=custom
+          - --configfile=tests/bandit.yaml
+        files: ^(homeassistant|script|tests)/.+\.py$