This is not a security update!
This is a usability update as some HTML elements are valid without attributes however the default behaviour is to strip these out of an abundance of caution. The picture element https://developer.mozilla.org/en-US/docs/Web/HTML/Element/picture is one such element where it merely changes the browser rendering such that one of the child elements will be rendered.
The picture element was not present in the allowlist when it should have been, and so this release fixes that as per #161 .