diff --git a/index.bs b/index.bs
index ca53380..c1354cc 100644
--- a/index.bs
+++ b/index.bs
@@ -54,6 +54,11 @@ text: report a warning to the console; type: dfn; url: https://console.spec.what
   "href": "https://www.bucksch.org/1/projects/mozilla/108153/",
   "title": "HTML Sanitizer",
   "publisher": "Ben Bucksch"
+  },
+  "XSS": {
+    "href": "https://developer.mozilla.org/de/docs/Web/Security/Attacks/XSS",
+    "title": "Cross-Site Scripting",
+    "publisher": "MDN Web Docs"
   }
 }
 </pre>
@@ -1452,11 +1457,17 @@ URLs, is as follows:
 
 # Security Considerations # {#security-considerations}
 
-The Sanitizer API is intended to prevent DOM-based Cross-Site Scripting
-by traversing a supplied HTML content and removing elements and attributes
-according to a configuration. The specified API must not support
-the construction of a Sanitizer object that leaves script-capable markup in
-and doing so would be a bug in the threat model.
+The Sanitizer API is intended to prevent DOM-based Cross-Site Scripting [[XSS]]
+by traversing supplied HTML content and removing elements and attributes
+according to a configuration. The Sanitizer API ships a strict baseline,
+such that scripting can never be allowed (cf. [[#never-allowed]]).
+In addition to this, a default safe list includes further restrictions that may help
+prevent a wide range of undesirable effects. These include, elements that can override
+site-specific settings (e.g., `<meta>`), embed third-party content, or change the
+layout/semantics of the page (e.g., `<img>`, `<style>`, `aria-` attributes).
+In addition, we disallow element and attribute configurations that lead to outgoing HTTP
+requests, and form controls. A detailed list is given in [[#default-disallowed-elements]].
+
 
 That being said, there are security issues which the correct usage of the
 Sanitizer API will not be able to protect against and the scenarios will be
@@ -1466,8 +1477,7 @@ laid out in the following sections.
 
 <em>This section is not normative.</em>
 
-The Sanitizer API operates solely in the DOM and adds a capability to traverse
-and filter an existing DocumentFragment. The Sanitizer does not address
+The Sanitizer API operates solely in the browser. The Sanitizer does not address
 server-side reflected or stored XSS.
 
 ## DOM clobbering ## {#dom-clobbering}
@@ -1479,8 +1489,8 @@ application by naming elements through `id` or `name` attributes such that
 properties like `children` of an HTML element in the DOM are overshadowed by
 the malicious content.
 
-The Sanitizer API does not protect DOM clobbering attacks in its
-default state, but can be configured to remove `id` and `name` attributes.
+The Sanitizer API disallows the `id` and `name` attributes by default, but
+can be configured to allow them if desired.
 
 ## XSS with Script gadgets ## {#script-gadgets}
 
@@ -1512,13 +1522,13 @@ into a different parent element. An example for carrying out such an attack
 is by relying on the change of parsing behavior for foreign content or
 mis-nested tags.
 
-The Sanitizer API offers only functions that turn a string into a node tree.
-The context is supplied implicitly by all sanitizer functions:
+The Sanitizer API offers functions that combine parsing, sanitization and insertion.
+As such, the parsing context is supplied implicitly by all sanitizer functions:
 `Element.setHTML()` uses the current element; `Document.parseHTML()` creates a
 new document. Therefore Sanitizer API is not directly affected by mutated XSS.
 
 If a developer were to retrieve a sanitized node tree as a string, e.g. via
-`.innerHTML`, and to then parse it again then mutated XSS may occur.
+`.innerHTML`, to only parse or insert it again, mutated XSS may still occur.
 We discourage this practice. If processing or passing of HTML as a
 string should be necessary after all, then any string should be considered
 untrusted and should be sanitized (again) when inserting it into the DOM. In
@@ -1527,6 +1537,479 @@ longer be considered as sanitized.
 
 A more complete treatment of mXSS can be found in [[MXSS]].
 
+
+# Index
+
+<em>This section is not normative.</em>
+
+### Elements and attributes in the MathML namespace
+
+The `<math>` element and various additional elements are allowed.
+The list and their reasoning for the inclusion can be found in [[SafeMathML]].
+
+### Elements and attributes in the SVG namespace
+
+Features are either allowed, allowable (e.g., disallowed by default but can be included in a custom configuration) or completely disallowed.
+
+<table>
+   <caption>Global Attributes in the SVG Namespace</caption>
+   <thead>
+    <tr>
+     <th> Attribute
+     <th> Decision
+     <th> Reasoning (if disallowed)
+   <tbody>
+
+    <tr>
+     <td><code>cx</code></td>
+     <td>Allowable</td>
+     <td><a href="#svg-attr-1"><sup>1</sup></a></td>
+    </tr>
+
+    <tr>
+     <td><code>cy</code></td>
+     <td>Allowable</td>
+     <td><a href="#svg-attr-1"><sup>1</sup></a></td>
+    </tr>
+
+    <tr>
+     <td><code>height</code></td>
+     <td>Allowable</td>
+     <td><a href="#svg-attr-1"><sup>1</sup></a></td>
+    </tr>
+
+    <tr>
+     <td><code>width</code></td>
+     <td>Allowable</td>
+     <td><a href="#svg-attr-1"><sup>1</sup></a></td>
+    </tr>
+
+    <tr>
+     <td><code>x</code></td>
+     <td>Allowable</td>
+     <td><a href="#svg-attr-1"><sup>1</sup></a></td>
+    </tr>
+
+    <tr>
+     <td><code>y</code></td>
+     <td>Allowable</td>
+     <td><a href="#svg-attr-1"><sup>1</sup></a></td>
+    </tr>
+
+    <tr>
+     <td><code>d</code></td>
+     <td>Allowable</td>
+     <td><a href="#svg-attr-1"><sup>1</sup></a></td>
+    </tr>
+
+    <tr>
+     <td><code>fill</code></td>
+     <td>Allowed</td>
+     <td></td>
+    </tr>
+
+    <tr>
+     <td><code>transform</code></td>
+     <td>Allowed</td>
+     <td></td>
+    </tr>
+
+    <tr>
+     <td><code>alignment-base</code></td>
+     <td>Allowed</td>
+     <td></td>
+    </tr>
+
+    <tr>
+     <td><code>baseline-shift</code></td>
+     <td>Allowed</td>
+     <td></td>
+    </tr>
+
+    <tr>
+     <td><code>clip-path</code></td>
+     <td>Allowed</td>
+     <td></td>
+    </tr>
+
+    <tr>
+     <td><code>clip-rule</code></td>
+     <td>Allowed</td>
+     <td></td>
+    </tr>
+
+    <tr>
+     <td><code>color</code></td>
+     <td>Allowed</td>
+     <td></td>
+    </tr>
+
+    <tr>
+     <td><code>color-interpolation</code></td>
+     <td>Allowed</td>
+     <td></td>
+    </tr>
+    <tr>
+     <td><code>color-interpolation-filters</code></td>
+     <td>Allowable</td>
+     <td><a href="#svg-attr-3"><sup>3</sup></a></td>
+    </tr>
+    <tr>
+     <td><code>cursor</code></td>
+     <td>Allowed</td>
+     <td></td>
+    </tr>
+    <tr>
+     <td><code>direction</code></td>
+     <td>Allowed</td>
+     <td></td>
+    </tr>
+    <tr>
+     <td><code>display</code></td>
+     <td>Allowed</td>
+     <td></td>
+    </tr>
+    <tr>
+     <td><code>dominant-baseline</code></td>
+     <td>Allowed</td>
+     <td></td>
+    </tr>
+    <tr>
+     <td><code>fill-opacity</code></td>
+     <td>Allowed</td>
+     <td></td>
+    </tr>
+    <tr>
+     <td><code>fill-rule</code></td>
+     <td>Allowed</td>
+     <td></td>
+    </tr>
+    <tr>
+     <td><code>filter</code></td>
+     <td>Allowable</td>
+     <td><a href="#svg-attr-2"><sup>2</sup></a></td>
+    </tr>
+    <tr>
+     <td><code>flood-color</code></td>
+     <td>Allowable</td>
+     <td><a href="#svg-attr-2"><sup>2</sup></a></td>
+    </tr>
+    <tr>
+     <td><code>flood-opacity</code></td>
+     <td>Allowable</td>
+     <td><a href="#svg-attr-2"><sup>2</sup></a></td>
+    </tr>
+    <tr>
+     <td><code>font-family</code></td>
+     <td>Allowed</td>
+     <td></td>
+    </tr>
+    <tr>
+     <td><code>font-size</code></td>
+     <td>Allowed</td>
+     <td></td>
+    </tr>
+    <tr>
+     <td><code>font-size-adjust</code></td>
+     <td>Allowed</td>
+     <td></td>
+    </tr>
+    <tr>
+     <td><code>font-stretch</code></td>
+     <td>Allowed</td>
+     <td></td>
+    </tr>
+    <tr>
+     <td><code>font-style</code></td>
+     <td>Allowed</td>
+     <td></td>
+    </tr>
+    <tr>
+     <td><code>font-variant</code></td>
+     <td>Allowed</td>
+     <td></td>
+    </tr>
+    <tr>
+     <td><code>font-weight</code></td>
+     <td>Allowed</td>
+     <td></td>
+    </tr>
+    <tr>
+     <td><code>glyph-orientation-horizontal</code></td>
+     <td>Allowable</td>
+     <td><a href="#svg-attr-3"><sup>3</sup></a></td>
+    </tr>
+    <tr>
+     <td><code>glyph-orientation-vertical</code></td>
+     <td>Allowable</td>
+     <td><a href="#svg-attr-3"><sup>3</sup></a></td>
+    </tr>
+    <tr>
+     <td><code>image-rendering</code></td>
+     <td>Allowable</td>
+     <td><a href="#svg-attr-4"><sup>4</sup></a></td>
+    </tr>
+    <tr>
+     <td><code>letter-spacing</code></td>
+     <td>Allowed</td>
+     <td></td>
+    </tr>
+    <tr>
+     <td><code>lighting-color</code></td>
+     <td>Allowable</td>
+     <td><a href="#svg-attr-3"><sup>3</sup></a></td>
+    </tr>
+    <tr>
+     <td><code>marker-end</code></td>
+     <td>Allowed</td>
+     <td></td>
+    </tr>
+    <tr>
+     <td><code>marker-mid</code></td>
+     <td>Allowed</td>
+     <td></td>
+    </tr>
+    <tr>
+     <td><code>marker-start</code></td>
+     <td>Allowed</td>
+     <td></td>
+    </tr>
+    <tr>
+     <td><code>mask</code></td>
+     <td>Allowable</td>
+     <td><a href="#svg-attr-5"><sup>5</sup></a></td>
+    </tr>
+    <tr>
+     <td><code>mask-type</code></td>
+     <td>Allowable</td>
+     <td><a href="#svg-attr-5"><sup>5</sup></a></td>
+    </tr>
+    <tr>
+     <td><code>opacity</code></td>
+     <td>Allowed</td>
+     <td></td>
+    </tr>
+    <tr>
+     <td><code>overflow</code></td>
+     <td>Allowable</td>
+     <td><a href="#svg-attr-6"><sup>6</sup></a></td>
+    </tr>
+    <tr>
+     <td><code>paint-order</code></td>
+     <td>Allowed</td>
+     <td></td>
+    </tr>
+    <tr>
+     <td><code>pointer-events</code></td>
+     <td>Allowed</td>
+     <td></td>
+    </tr>
+    <tr>
+     <td><code>shape-rendering</code></td>
+     <td>Allowed</td>
+     <td></td>
+    </tr>
+    <tr>
+     <td><code>stop-color</code></td>
+     <td>Allowed</td>
+     <td></td>
+    </tr>
+    <tr>
+     <td><code>stop-opacity</code></td>
+     <td>Allowed</td>
+     <td></td>
+    </tr>
+    <tr>
+     <td><code>stroke</code></td>
+     <td>Allowed</td>
+     <td></td>
+    </tr>
+    <tr>
+     <td><code>stroke-dasharray</code></td>
+     <td>Allowed</td>
+     <td></td>
+    </tr>
+    <tr>
+     <td><code>stroke-dashoffset</code></td>
+     <td>Allowed</td>
+     <td></td>
+    </tr>
+    <tr>
+     <td><code>stroke-linecap</code></td>
+     <td>Allowed</td>
+     <td></td>
+    </tr>
+    <tr>
+     <td><code>stroke-linejoin</code></td>
+     <td>Allowed</td>
+     <td></td>
+    </tr>
+    <tr>
+     <td><code>stroke-miterlimit</code></td>
+     <td>Allowed</td>
+     <td></td>
+    </tr>
+    <tr>
+     <td><code>stroke-opacity</code></td>
+     <td>Allowed</td>
+     <td></td>
+    </tr>
+    <tr>
+     <td><code>stroke-width</code></td>
+     <td>Allowed</td>
+     <td></td>
+    </tr>
+    <tr>
+     <td><code>text-anchor</code></td>
+     <td>Allowed</td>
+     <td></td>
+    </tr>
+    <tr>
+     <td><code>text-decoration</code></td>
+     <td>Allowed</td>
+     <td></td>
+    </tr>
+    <tr>
+     <td><code>text-overflow</code></td>
+     <td>Allowed</td>
+     <td></td>
+    </tr>
+    <tr>
+     <td><code>text-rendering</code></td>
+     <td>Allowed</td>
+     <td></td>
+    </tr>
+    <tr>
+     <td><code>transform-origin</code></td>
+     <td>Allowed</td>
+     <td></td>
+    </tr>
+    <tr>
+     <td><code>unicode-bidi</code></td>
+     <td>Allowed</td>
+     <td></td>
+    </tr>
+    <tr>
+     <td><code>vector-effect</code></td>
+     <td>Allowed</td>
+     <td></td>
+    </tr>
+    <tr>
+     <td><code>visibility</code></td>
+     <td>Allowed</td>
+     <td></td>
+    </tr>
+    <tr>
+     <td><code>white-space</code></td>
+     <td>Allowed</td>
+     <td></td>
+    </tr>
+    <tr>
+     <td><code>word-spacing</code></td>
+     <td>Allowed</td>
+     <td></td>
+    </tr>
+    <tr>
+     <td><code>writing-mode</code></td>
+     <td>Allowed</td>
+     <td></td>
+    </tr>
+
+
+</tbody>
+</table>
+
+### Legend of exclusion criteria for SVG features.
+<ol>
+<li id="svg-attr-1">This attribute is disallowed as a global attribute, we only want to allow it on some elements.
+<li id="svg-attr-2">This attribute is disallowed because we do not allow the SVG `<filter>` element.
+<li id="svg-attr-3">This attribute is disallowed because it is deprecated
+<li id="svg-attr-4">This attribute is disallowed because we do not allow the `<image>` element.
+<li id="svg-attr-5">This attribute is disallowed because we do not allow the `<mask>` element.
+<li id="svg-attr-6">This attribute is disallowed because we do not allow the the element to impact the page layout.
+</ol>
+
+
+## Elements and attributes not allowed in the default config ##  {#default-disallowed-elements}
+
+While the Sanitizer aims to disallow Cross-Site Scripting attacks [[XSS]], the default
+settings are a bit stricter and do not include elements that may change page
+settings, layout or fetch resources from other origins. The following elements
+can be allowed with a configuration, but the individual reasoning for disallowing
+them by default is given below.
+
+See also: [[#security-considerations]].
+
+
+## Elements that are **never** allowed ## {#never-allowed}
+
+TODO: Freddy will fold this into the individual HTML and SVG lists. To be written above.
+
+  <table>
+   <caption>List of unsafe and disallowed elements</caption>
+   <thead>
+    <tr>
+     <th> Element
+     <th> Namespace
+     <th> Description
+   <tbody>
+
+    <tr>
+     <td><code>embed</code></td>
+     <td>http://www.w3.org/1999/xhtml</td>
+     <td><a href="#html-el-1"><sup>1</sup></a></td>
+    </tr>
+
+    <tr>
+     <td><code>frame</code></td>
+     <td>http://www.w3.org/1999/xhtml</td>
+     <td><a href="#html-el-1"><sup>1</sup></a></td>
+    </tr>
+
+    <tr>
+     <td><code>iframe</code></td>
+     <td>http://www.w3.org/1999/xhtml</td>
+     <td><a href="#html-el-1"><sup>1</sup></a></td>
+    </tr>
+
+    <tr>
+     <td><code>object</code></td>
+     <td>http://www.w3.org/1999/xhtml</td>
+     <td>This element is disallowed because it can include other, untrusted documents and including scripts.</td>
+    </tr>
+
+    <tr>
+     <td><code>script</code></td>
+     <td>http://www.w3.org/1999/xhtml</td>
+     <td><a href="#html-el-2"><sup>2</sup></a></td>
+    </tr>
+
+    <tr>
+     <td><code>script</code></td>
+     <td>http://www.w3.org/2000/svg</td>
+     <td><a href="#html-el-2"><sup>2</sup></a></td>
+    </tr>
+
+    <tr>
+     <td><code>use</code></td>
+     <td>http://www.w3.org/2000/svg</td>
+     <td><a href="#html-el-1"><sup>1</sup></a></td>
+    </tr>
+  </table>
+
+### Legend of exclusion criteria for HTML features.
+<ol>
+<li id="html-el-1">This element is always disallowed because it can include other, untrusted documents and including scripts.
+<li id="html-el-2">This element is always disallowed because it executes scripts.
+</ol>
+
+
+
+
+## Event Handler Content Attributes
+
+All known [=event handler content attributes=] are disallowed, as they execute script.
+
 # Acknowledgements # {#ack}
 
 This work is informed and inspired by [[DOMPURIFY]] from cure53,