Security Considerations: add HTML Editor Image Upload topic

concepts/Common/Security Considerations/20 HTML Encoding/50 General Risk/00 General Risk.md

@@ -0,0 +1 @@
+Mitigating certain XSS risks cannot be achieved solely using component properties. Application logic and display methods play a critical role. If you pass user input to custom renderers, templates, or external scripts, this may allow XSS, regardless of property configurations. Address these risks with escaping characters, sanitization of user input, or implement a strict [Content Security Policy](/Documentation/Guide/Common/Security_Considerations/#Content_Security_Policy).

concepts/Common/Security Considerations/20 HTML Encoding/50 General Risk/05 HTML Editor Image Upload.md

@@ -0,0 +1,12 @@
+When users insert an image in the [HTML Editor](/api-reference/10%20UI%20Components/dxHtmlEditor '/Documentation/ApiReference/UI_Components/dxHtmlEditor/') "From the Web" dialog, treat the value as untrusted. Attackers may enter scriptable URLs (such as `javascript:` or `data:`) or targets that return HTML instead of an image. 
+
+![HTML Editor with an opened "From the Web" image upload dialog](/images/htmlEditor/html-editor-xss.png)
+
+To block stored or reflected XSS:
+
+- Validate each URL.
+- Route image retrieval through a server-side proxy and check returned data.
+- Clean document HTML during save.
+- Render with a restrictive [Content Security Policy (CSP)](/Documentation/Guide/Common/Security_Considerations/#Content_Security_Policy).
+
+[important] SVG format allows scripts. Apply SVG-aware sanitization or rasterize images on the server before use.