1-Click Cross-Site Scripting via Custom Configuration in SafeListSanitizer

Researcher @leonsirio reported that the SafeListSanitizer, when explicitly configured to allow `form` and `button` tags and the `formaction` attribute, can be fed crafted input that results in XSS. It's the position of the maintainers that although this may be undesirable behavior, that it does not constitute a security vulnerability because the developer must opt-in to allow multiple blocked tags (form and button) and a blocked attribute (formaction). The default sanitizer configuration successfully sanitizes the input, and we feel this POC requires an extremely unlikely configuration -- in a real world application, it would be extremely surprising to configure the sanitizer to allow these tags and attributes in untrusted content. We would prefer to address in the public tracker the sanitizer's behavior when configured to allow `formaction` attributes.