attributes, too. Since there's a potential for creating webbugs of 1x1px we might want
to enforce a minimum size for them. But that has always existed when the attacker provides
the image.
The sanitizer isn't treating numeric-like arguments in a special way. That is something
to fix.
# Not usually allowed, but may be used for extension-style hooks
# such as <math> when it is rasterized, or if $wgAllowImageTag is
# true
- 'img' => array_merge( $common, array( 'alt', 'src' ) ),
+ 'img' => array_merge( $common, array( 'alt', 'src', 'width', 'height' ) ),
# 15.2.1
'tt' => $common,