Tweak escape behaviour to preserve escaped attributes

Fixes apostrophecms#540

Author: benelliott

index.js

@@ -287,8 +287,17 @@ function sanitizeHtml(html, options, _recursing) {
         }
       }
 
-      if (!allowedAttributesMap || has(allowedAttributesMap, name) || allowedAttributesMap['*']) {
+      const willEscape = skip;
+
+      if (willEscape || !allowedAttributesMap || has(allowedAttributesMap, name) || allowedAttributesMap['*']) {
         each(attribs, function(value, a) {
+          if (willEscape) {
+            result += ' ' + a;
+            value = value || '';
+            result += '="' + escapeHtml(value, true) + '"';
+            return;
+          }
+
           if (!VALID_HTML_ATTRIBUTE_NAME.test(a)) {
             // This prevents part of an attribute name in the output from being
             // interpreted as the end of an attribute, or end of a tag.

test/test.js

@@ -13,6 +13,18 @@ describe('sanitizeHtml', function() {
       allowedAttributes: false
     }), 'before <img src="test.png" /> after');
   });
+  it('should preserve all attributes in escaped tags', () => {
+    assert.equal(sanitizeHtml('before <img src="test.png" foo="bar baz boo" style="color: red" /> after', {
+      disallowedTagsMode: 'escape',
+      allowedTags: []
+    }), 'before &lt;img src="test.png" foo="bar baz boo" style="color: red" /&gt; after');
+  });
+  it('should preserve all attributes in unrecognised escaped tags', () => {
+    assert.equal(sanitizeHtml('before <vimg src="test.png" foo="bar baz boo" style="color: red" /> after', {
+      disallowedTagsMode: 'escape',
+      allowedTags: []
+    }), 'before &lt;vimg src="test.png" foo="bar baz boo" style="color: red"&gt; after');
+  });
   it('should handle numbers as strings', () => {
     assert.equal(sanitizeHtml(5, {
       allowedTags: [ 'b', 'em', 'i', 's', 'small', 'strong', 'sub', 'sup', 'time', 'u' ],