background,datasrc,dynsrc,lowsrc,ping, andposter are included inallowed_attributes and omitted fromattr_val_is_uri. On the upside, no browser appears to run scripts in these attributes, so while it is a potential XSS hole in the sanitizer gives some unknown browser, it isn't in any known browser.