Problem/Motivation
Xss::filter() automatically does HTML escaping and protocol filtering on attributes. Protocols are filtered on everything except title, alt and data-
Attribute however, while it claims to make attributes sanitized and safe (issue to fix the claim at #2567741: Attribute/drupal_attributes() docs do not mention protocol filtering on URLs), does no such protocol filtering.
Proposed resolution
Apply protocol stripping to everything except title, alt and data- too.
