background, datasrc, dynsrc, lowsrc, ping, and poster are included in allowed_attributes and omitted from attr_val_is_uri. On the upside, no browser appears to run scripts in these attributes, so while it is a potential XSS hole in the sanitizer gives some unknown browser, it isn't in any known browser.