LEI Zongmin

在 HTML 中 `` 本身就是有特殊含义的，所以一定要转义，否则它可能构造出 HTML 标签。 你这种情况可能是使用方法不当，如果要保留 `` 可能不需要通过 `xss()` 来过滤。

Hi, @chladnefazole please try this example code: ```js var dirtyHtml = 'Test'; var sanitizerOptions = { whiteList: { "!doctype": ["html"], meta: ["name", "content", "charset"], html: ["lang"], style: [], head: [],...

@andrey-skl What do you expect to get from this input html?

@andrey-skl Did you mean that you expect when setting `allowCommentTag=true`, the content between `` is not processed?

Call `xss()` with the default configurations will results `<source onerror=alert(document.domain) src=1>`.

The mainstream html parser will parse it into the following results: ```json [ { "tag": "img", "attrs": { "width": "100/height=200/src=\"#\"/" } } ] ```  I think treating the slash...

There is a package names [cssfilter](https://github.com/leizongmin/js-css-filter) can filter `style` attribute, but filter CSS style from `` tag is more complex than HTML, so this package `xss` currently does not supported...

`` 不在默认的白名单里面，你可以扩展自己的白名单配置，参考文档 https://github.com/leizongmin/js-xss/blob/master/README.zh.md#%E7%99%BD%E5%90%8D%E5%8D%95

It means `iframe` is not in the default whitelist, you can try this way: ```typescript interface ICustomWhiteList extends XSS.IWhiteList { iframe?: string[]; } ```

I have published a new version `[email protected]` including the following changes: - [Fix whitespace bypass #218](https://github.com/leizongmin/js-xss/pull/218/files) by @TomAnthony - [Add `` to default whitelist #216](https://github.com/leizongmin/js-xss/pull/216) by @spacegaier - [Add ``...