This is a "whitelist" model, that denies everything that is not specifically allowed.Given the way browsers parse HTML, each of the different types of slots has slightly different security rules.
However, it is common to store images in a sub-folder.
This article treats an HTML page like a template, with slots where a developer is allowed to put untrusted data.
These slots cover the vast majority of the common places where a developer might want to put untrusted data.
Putting untrusted data in other places in the HTML is not allowed.
The alt attribute provides an alternate text for an image, if the user for some reason cannot view it (because of slow connection, an error in the src attribute, or if the user uses a screen reader).
If a browser cannot find an image, it will display the value of the alt attribute: A screen reader is a software program that reads the HTML code, converts the text, and allows the user to "listen" to the content.
Screen readers are useful for people who are blind, visually impaired, or learning disabled.
Both the width, height, and style attributes are valid in HTML5. It prevents internal or external styles sheets from changing the original size of images: If not specified, the browser expects to find the image in the same folder as the web page.
This document sets out the most common types of slots and the rules for putting untrusted data into them safely.
Based on the various specifications, known XSS vectors, and a great deal of manual testing with all the popular browsers, we have determined that the rule proposed here are safe.
The slots are defined and a few examples of each are provided.