E.g. <img src onerror="alert(1)"/> will execute arbitrary JavaScript. It would be good to either document this very explicitly or to prevent this security issue from ever happening.

Update: Non-HTML Vulnerability: #70 (comment)