oyiptong
commented
10 years ago Copying relevant comments from: https://github.com/emtwo/profile/commit/770e4116bb304f729d071097479a9d0c07830604
bleach is only used for stripping out html tags out of text, therefore only useful for innerHTML/CDATA type of data which may contain markup.
title and kicker benefit from using bleach.clean. There is no attribute statement to escape from, therefore it shouldn't be necessary to use escapeHTML.
The character escaping is useful for all attributes, including URL's, for which an additional schema check is necessary.
Therefore, this bug is about sanitizing URL attributes, by adding on top of #68 by checking for the schema of urls.
Mardak
bleach.js does not properly sanitize HTML. For example, it lets through links with javascript: URLs. I'd prefer that you use the builtin sanitizer, but if you don't, you'll need to use something much better than this.