improve sanitization of img tags

[uhoreg]

• allow width, height, alt, title attributes in img (fixes allow width/height attributes in img tags element-hq/element-web#4646)
• replace disallowed URL schemes with the alt or title attribute (fixes replace external images with alt text instead of completely stripping them out element-hq/element-web#4044)

If you want me to split these into two PRs, I can, but I figured that since they're both small, and related, I would put them together.

[matrixbot]

Can one of the admins verify this patch?

[lukebarnard1]

Your first bullet looks like something we should just do, so LGTM on that bit. The second part I'm not sure about because replacing the <img> with a <span> feels like it would be quite confusing, albeit less confusing than not showing any image at all. I'm wondering if we should instead insert a placeholder that indicates the error that's happened or whether we just insert a link that points to the src. @lampholder any UX-y thoughts?

[lampholder]

I'd say lets take advantage of the first bullet and kick the second point down the road until a time when we can think about what this would look like :P

[uhoreg]

OK, I'll close this PR for now, and create a new PR for just the first point.