Sanitizer fails to treat some attributes as URLs

`background`, `datasrc`, `dynsrc`, `lowsrc`, `ping`, and `poster` are included in `allowed_attributes` and omitted from `attr_val_is_uri`. On the upside, no browser appears to run scripts in these attributes, so while it is a potential XSS hole in the sanitizer gives some unknown browser, it isn't in any known browser.
