Actually, stripping of attributes from HTML is not a flaw, but a design of the filter. If you don't want that to happen you can either write your own filter or use the Full HTML option.
Keep in mind that IMG tags can introduce significant security threats into your site. Use them carefully. And, BTW, Drupal HTML should not have font tags at all - leave that to CSS.
Nancy
Injustice anywhere is a threat to justice everywhere. -- Dr. Martin L. King, Jr.
From: James Rome
Even though I have <img> as an allowed tag, the filtered html filter
gets rid of the guts of the tag (the pointer to the image) in Drupal 7
with TinyMCE. The html is just left with <img />. Ditto for font and
span tags. This seems like a fundamental flaw. How do I allow users to
insert images into filtered HTML posts?