Closed
Description
background
, datasrc
, dynsrc
, lowsrc
, ping
, and poster
are included in allowed_attributes
and omitted from attr_val_is_uri
. On the upside, no browser appears to run scripts in these attributes, so while it is a potential XSS hole in the sanitizer gives some unknown browser, it isn't in any known browser.