> would love to see more tooling to lint and sanitize them before deployment

Sanitisation is one of two possible defences, the other being script execution controls or sandboxing. E.g., if you serve vector images on a web server, set a Content Security Policy header¹ for all your images that simply denies all scripting. You can also run it from a dummy domain ('origin') with nothing valuable on it (like how domains such as googleusercontent.com and githubusercontent.com are being used)

For sanitisation, DOMPurify² is the only widely used and tested library that I know of. It could use more bindings for other languages but, if you can call into it, it can go in your deployment pipeline. (Disclosure: I've worked with some of the people at Cure53, but not on this project)

You can also combine the approaches for defence in depth

¹ https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP

² https://github.com/cure53/DOMPurify