diff --git a/concepts/Common/Security Considerations/20 HTML Encoding/50 General Risk/00 General Risk.md b/concepts/Common/Security Considerations/20 HTML Encoding/50 General Risk/00 General Risk.md
new file mode 100644
index 0000000000..ab9ac14cf3
--- /dev/null
+++ b/concepts/Common/Security Considerations/20 HTML Encoding/50 General Risk/00 General Risk.md	
@@ -0,0 +1 @@
+Mitigating certain XSS risks cannot be achieved solely using component properties. Application logic and display methods play a critical role. If you pass user input to custom renderers, templates, or external scripts, this may allow XSS, regardless of property configurations. Address these risks with escaping characters, sanitization of user input, or implement a strict [Content Security Policy](/Documentation/Guide/Common/Security_Considerations/#Content_Security_Policy).
\ No newline at end of file
diff --git a/concepts/Common/Security Considerations/20 HTML Encoding/50 General Risk/05 HTML Editor Image Upload.md b/concepts/Common/Security Considerations/20 HTML Encoding/50 General Risk/05 HTML Editor Image Upload.md
new file mode 100644
index 0000000000..d8dce55232
--- /dev/null
+++ b/concepts/Common/Security Considerations/20 HTML Encoding/50 General Risk/05 HTML Editor Image Upload.md	
@@ -0,0 +1,12 @@
+When users insert an image in the [HTML Editor](/api-reference/10%20UI%20Components/dxHtmlEditor '/Documentation/ApiReference/UI_Components/dxHtmlEditor/') "From the Web" dialog, treat the value as untrusted. Attackers may enter scriptable URLs (such as `javascript:` or `data:`) or targets that return HTML instead of an image. 
+
+![HTML Editor with an opened "From the Web" image upload dialog](/images/htmlEditor/html-editor-xss.png)
+
+To block stored or reflected XSS:
+
+- Validate each URL.
+- Route image retrieval through a server-side proxy and check returned data.
+- Clean document HTML during save.
+- Render with a restrictive [Content Security Policy (CSP)](/Documentation/Guide/Common/Security_Considerations/#Content_Security_Policy).
+
+[important] SVG format allows scripts. Apply SVG-aware sanitization or rasterize images on the server before use.
\ No newline at end of file
diff --git a/images/htmlEditor/html-editor-xss.png b/images/htmlEditor/html-editor-xss.png
new file mode 100644
index 0000000000..3f94f7689f
Binary files /dev/null and b/images/htmlEditor/html-editor-xss.png differ