crookedneighbor
commented
5 years ago Hey @domoritz, this module is mainly for sanitizing urls before the get injected into the DOM as part of a link or button, not general xss sanitization.
If you think we've missed something, you can raise a specific issue.
Also, we'll happily review a pull request!
It would be great if this implementation was validated against many possible attacks. https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet is a good starting point.