Add preserveEscapedAttributes option to allow attributes on escaped disallowed tags to be retained

benelliott · benelliottgsa · commit ae1dc35af6b4 · 2025-05-08T10:37:04.000+01:00
Fixes #540
diff --git a/index.js b/index.js
@@ -300,7 +300,14 @@ function sanitizeHtml(html, options, _recursing) {
         }
       }
 
-      if (!allowedAttributesMap || has(allowedAttributesMap, name) || allowedAttributesMap['*']) {
+      const isBeingEscaped = skip && (options.disallowedTagsMode === 'escape' || options.disallowedTagsMode === 'recursiveEscape');
+      const shouldPreserveEscapedAttributes = isBeingEscaped && options.preserveEscapedAttributes;
+
+      if (shouldPreserveEscapedAttributes) {
+        each(attribs, function(value, a) {
+          result += ' ' + a + '="' + escapeHtml((value || ''), true) + '"';
+        });
+      } else if (!allowedAttributesMap || has(allowedAttributesMap, name) || allowedAttributesMap['*']) {
         each(attribs, function(value, a) {
           if (!VALID_HTML_ATTRIBUTE_NAME.test(a)) {
             // This prevents part of an attribute name in the output from being
@@ -923,7 +930,8 @@ sanitizeHtml.defaults = {
   allowedSchemesAppliedToAttributes: [ 'href', 'src', 'cite' ],
   allowProtocolRelative: true,
   enforceHtmlBoundary: false,
-  parseStyleAttributes: true
+  parseStyleAttributes: true,
+  preserveEscapedAttributes: false
 };
 
 sanitizeHtml.simpleTransform = function(newTagName, newAttribs, merge) {
diff --git a/test/test.js b/test/test.js
@@ -1811,4 +1811,26 @@ describe('sanitizeHtml', function() {
     );
     assert.equal(sanitizedHtml, expectedOutput);
   });
+  it('should not preserve attributes on escaped disallowed tags when `preserveEscapedAttributes` is false', () => {
+    const inputHtml = '<div class="foo">Some Text</div>';
+    const expectedOutput = '&lt;div&gt;Some Text&lt;/div&gt;';
+    const sanitizedHtml = sanitizeHtml(inputHtml, {
+      allowedTags: [],
+      disallowedTagsMode: 'escape',
+      preserveEscapedAttributes: false
+    });
+
+    assert.equal(sanitizedHtml, expectedOutput);
+  });
+  it('should preserve attributes on escaped disallowed tags when `preserveEscapedAttributes` is true', () => {
+    const inputHtml = '<div class="foo">Some Text</div>';
+    const expectedOutput = '&lt;div class="foo"&gt;Some Text&lt;/div&gt;';
+    const sanitizedHtml = sanitizeHtml(inputHtml, {
+      allowedTags: [],
+      disallowedTagsMode: 'escape',
+      preserveEscapedAttributes: true
+    });
+
+    assert.equal(sanitizedHtml, expectedOutput);
+  });
 });
