sanitizeHtml failed to work, all other normal texts are removed unexpectly

[CaledoniaProject]

I need to transform the <e> tag and keep everything else escaped rather than removed. However sanitize-html not only failed to process the self closing <e> tag, it also killed the <?php part.

I created a minimal case to test:

yarn add [email protected]

And main.js:

let sanitizeHTML = require('sanitize-html')
let rawHtml = `
<e type="mention" title="@user1" />

How to output phpinfo:

<?php
phpinfo();
?>

test
`
const clean = sanitizeHTML(rawHtml, {
  allowedTags: ['a', 'e', 'span'],
  disallowedTagsMode: 'escape',
  selfClosing: ['e'],
  transformTags: {
    'e': function(tagName, attribs) {
      if (attribs['type'] == 'web') {
        return {
          tagName: 'a',
          attribs
        }
      } else {
        return {
          tagName: 'span',
          attribs,
          text: attribs['title']
        }
      }
    }
  }
})

console.log(clean)

Does anyone know what's wrong?

[CaledoniaProject]

Hi @BoDonkey @tomholub Can you please take a look at this?

[boutell]

<?php... isn't valid HTML. It's PHP. PHP can contain HTML outside of those blocks, but PHP is not HTML, and not what this module is designed to sanitize.

If you want to validate a document that explains PHP programming, you could probably do that by wrapping things in <pre>...</pre> tags and escaping < and > properly within them. But sanitize-html's job is not to figure out anything other than HTML.

As for the e tag, can you submit a PR with a failing unit test? See test/test.js, they are fairly easy to set up.