Problem/Motivation
CKEditor 4 always disallows on* attributes within CKEditor 4. We should implement similar measures in CKEditor 5 to prevent self XSS.
Proposed resolution
Make Drupal\ckeditor5\HTMLRestrictions disallow on* and style attributes.
Remaining tasks
Postponed on #3231334: Add validation for attributes allowed or forbidden on all elements
TestsValidation constraint- Review
User interface changes
A validation error will show up in the CKE5 admin UI if you attempt to configure Source Editing to explicitly allow one of these insecure attributes.
API changes
None.
Data model changes
None.