String "unsafe" comes from contenteditable="true" div to where it was pasted as image from clipboard
// neeeds to be escaped. It is HTML5 valid
String unsafe = ""<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAIAAACQkWg2AAABaklEQVQokZWSXYuCQBSG+xdCa5nRRZgzUlmDNlmCxSCjZg4Y9OkwMxf9Sn/aXrRERrC779U5L+fhfHBa9T/Vek3m8/kztm3bcRzXdTebjed50+m0AWy3W4RQXdcAgCcAIcyyTEpZlqVlWQ1ASnm9XpMksW3bsiwAAISQECKEuN/vlNL1et0ALpeLUkoIked5EAS+7xNCqqpSSlFKwzB838FxnCiKzuezEOJ4PJZlebvdOOdxHGOMPyytaRqEEGPMGOOcSymVUoyx5+gfrjQYDB5zn04nznlVVYyxyWRimuYHoN/vD4fD5XKZpmlRFGma7na7w+GQ5zlCaDQavQOu64ZhmCRJlmUYYwDAeDwOw7Aoiv1+v1gsHMdpAIQQSiml1Pd9wzC63a5hGL1eDyEURVEQBJ1OpwFQSuM49jxP13Vd1x+maZpfL2oAq9VqNpu1221N097O8lpdv/3Sj9X6YDaA1p/V6PBr6UPfrxpWT8DSD68AAAAASUVORK5CYII=" alt="">
"
org.jsoup.safety.Whitelist whitelist = Whitelist.relaxed();
whitelist.addEnforcedAttribute("a", "rel", "nofollow");
String safe = Jsoup.clean(unsafe, whitelist);
//and safe becomes: "<img alt="">"
//entire src lost !?
Note: randome surrouning html has no effect. Src is lost in any case.