img attribute getting removed

[snap9]

I'm using imgsrc to support high-resolution display images: https://webkit.org/demos/srcset/

<img src="image.jpg" srcset="image-1x.jpg 1x, image-2x.jpg 2x, image-3x.jpg 3x">

Your XSS strips this down to

<img src="image.jpg">

It just gets rid of the srcset. Why, and if srcset isn't really dangerous, can you consider whitelisting it?

[gregwebs]

This is easy to add: I pushed a srcset branch.

However, this attribute is not in my reference implementation: https://github.com/html5lib/html5lib-python/blob/master/html5lib/filters/sanitizer.py A goal of this library is to have 3rd-party vetting of the safety of the sanitization.

[gregwebs]

ok, that implementation is stalled. srcset looks like it can be treated just like src