Add bandit, use to catch known vulnerable XML parsing (#28341)

* Add bandit to pre-commit and CI, use to catch known vulnerable XML parsing

* Use defusedxml instead of direct xml.etree to parse XML

* Move config to tests/bandit.yaml

tests/components/rss_feed_template/test_init.py

@@ -1,7 +1,7 @@
 """The tests for the rss_feed_api component."""
 import asyncio
-from xml.etree import ElementTree
 
+from defusedxml import ElementTree
 import pytest
 
 from homeassistant.setup import async_setup_component