fix: remove data: and vbscript: attributes (#7)

JounQin · web-flow · commit 44c65f881a57 · 2022-07-28T21:51:45.000+08:00
diff --git a/.changeset/yellow-cooks-film.md b/.changeset/yellow-cooks-film.md
@@ -2,4 +2,4 @@
 "domiso": patch
 ---
 
-feat: better HTML/XML support, remove `javascript:` attributes
+feat: better HTML/XML support, remove `data:`, `javascript:` and `vbscript:` attributes
diff --git a/src/index.ts b/src/index.ts
@@ -8,8 +8,8 @@ const sanitizeAttributes = (el: Element) => {
   for (let i = 0, len = attrs.length; i < len; i++) {
     const attr = attrs[i]
     if (
-      attr.name.toLowerCase().startsWith('on') ||
-      attr.value.toLowerCase().startsWith('javascript:')
+      /^on/i.test(attr.name) ||
+      /^(?:data|javascript|vbscript):/i.test(attr.value)
     ) {
       el.removeAttributeNode(attr)
       // eslint-disable-next-line sonar/updated-loop-counter -- the attribute is removed, the index and length must be rechecked
@@ -39,9 +39,7 @@ function sanitizeNode(el: Document | Element) {
     return sanitizeChildren(el)
   }
 
-  const tagName = el.tagName.toLowerCase()
-
-  if (['parsererror', 'script'].includes(tagName)) {
+  if (['parsererror', 'script'].includes(el.tagName.toLowerCase())) {
     el.remove()
     return null
   }
