		@@ -303,4 +303,11 @@ const htmlparser = require('htmlparser2');

		if (!allowedAttributesMap \|\| has(allowedAttributesMap, name) \|\| allowedAttributesMap['*']) {
		const isBeingEscaped = skip && (options.disallowedTagsMode === 'escape' \|\| options.disallowedTagsMode === 'recursiveEscape');
		const shouldPreserveEscapedAttributes = isBeingEscaped && options.preserveEscapedAttributes;

		if (shouldPreserveEscapedAttributes) {
		each(attribs, function(value, a) {
		result += ' ' + a + '="' + escapeHtml((value \|\| ''), true) + '"';
		});
		} else if (!allowedAttributesMap \|\| has(allowedAttributesMap, name) \|\| allowedAttributesMap['*']) {
		each(attribs, function(value, a) {
		if (!VALID_HTML_ATTRIBUTE_NAME.test(a)) {
		@@ -927,3 +934,4 @@ // This prevents part of an attribute name in the output from being
		enforceHtmlBoundary: false,
		parseStyleAttributes: true
		parseStyleAttributes: true,
		preserveEscapedAttributes: false
		};
		@@ -930,0 +938,0 @@

+1

-1

package.json

		{
		"name": "sanitize-html",
		"version": "2.16.0",
		"version": "2.17.0",
		"description": "Clean up user-submitted HTML, preserving allowlisted elements and allowlisted attributes on a per-element basis",
		@@ -5,0 +5,0 @@ "sideEffects": false,

+10

-1

README.md

		@@ -748,3 +748,3 @@ # sanitize-html

		if you set `disallowedTagsMode` to `recursiveEscape`, disallowed tag and its children will be escaped even for allowed tags
		if you set `disallowedTagsMode` to `recursiveEscape`, disallowed tags and their children will be escaped even for allowed tags:

		@@ -757,2 +757,11 @@ ```js

		#### Escape the disallowed tag, including all its attributes.

		By default, attributes are not preserved when tags are escaped. You can set `preserveEscapedAttributes` to `true` to
		keep the attributes, which will also be escaped and therefore have no effect on the browser.

		```js
		preserveEscapedAttributes: true
		```

		### Ignore style attribute contents
		@@ -759,0 +768,0 @@

sanitize-html - npm Package Compare versions

New alerts