Parsoid and TimedMediaHandler emit <video>, <source>, and <track> elements for audio/video content. These currently bypass the sanitizer on PHP side because they come from the TimedMediaHandler extension, and AIUI all extension content bypasses the sanitizer.
Parsoid generates this markup directly, and I believe the intent is for the A/V support to migrate to core eventually. So we should update the sanitizer to allow the necessary elements and attributes.
@Arlolra already wrote a patch for this: https://gerrit.wikimedia.org/r/349432
Filing this in phab for security review. If the security team would like to solve this a different way (for example, by simply bypassing the sanitizer for media markup, as we are currently doing in PHP) instead of merging @Arlolra's patch, then we need to update Parsoid to match; this task would then track the Parsoid work as well.