Security Considerations: add HTML Editor Image Upload topic

concepts/Common/Security Considerations/20 HTML Encoding/50 General Risk/00 General Risk.md

@@ -0,0 +1 @@
+Certain XSS risks cannot be mitigated solely through component properties. Application logic and rendering methods are equally critical. Passing user input to custom renderers, templates, or external scripts can still expose your application to XSS, regardless of property settings. To address these risks, use escape characters, sanitize user input, or enforce a strict [Content Security Policy](/Documentation/Guide/Common/Security_Considerations/#Content_Security_Policy).

concepts/Common/Security Considerations/20 HTML Encoding/50 General Risk/05 HTML Editor Image Upload.md

@@ -0,0 +1,12 @@
+When users insert an image in the [HTML Editor](/api-reference/10%20UI%20Components/dxHtmlEditor '/Documentation/ApiReference/UI_Components/dxHtmlEditor/') "From the Web" dialog, treat the value as untrusted. Attackers may enter scriptable URLs (such as `javascript:` or `data:`) or targets that return HTML instead of an image. 
+
+![HTML Editor with an opened "From the Web" image upload dialog](/images/htmlEditor/html-editor-xss.png)
+
+To block stored or reflected XSS:
+
+- Validate each URL.
+- Route image retrieval through a server-side proxy and check returned data.
+- Clean document HTML during save.
+- Render with a restrictive [Content Security Policy (CSP)](/Documentation/Guide/Common/Security_Considerations/#Content_Security_Policy).
+
+[important] SVG format allows scripts. Apply SVG-aware sanitization or rasterize images on the server before use.