From 871ef1139a3438793d45b1c2bfc901e077e3198c Mon Sep 17 00:00:00 2001
From: Ben Elliott <4996462+benelliott@users.noreply.github.com>
Date: Mon, 8 Jul 2024 15:04:35 +0100
Subject: [PATCH] Add `preserveEscapedAttributes` option to allow attributes on
 escaped disallowed tags to be retained

Fixes https://github.com/apostrophecms/sanitize-html/issues/540
---
 index.js     | 12 ++++++++++--
 test/test.js | 22 ++++++++++++++++++++++
 2 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/index.js b/index.js
index 1144ce8..5bb9f82 100644
--- a/index.js
+++ b/index.js
@@ -287,7 +287,14 @@ function sanitizeHtml(html, options, _recursing) {
         }
       }
 
-      if (!allowedAttributesMap || has(allowedAttributesMap, name) || allowedAttributesMap['*']) {
+      const isBeingEscaped = skip && (options.disallowedTagsMode === 'escape' || options.disallowedTagsMode === 'recursiveEscape');
+      const shouldPreserveEscapedAttributes = isBeingEscaped && options.preserveEscapedAttributes;
+
+      if (shouldPreserveEscapedAttributes) {
+        each(attribs, function(value, a) {
+          result += ' ' + a + '="' + escapeHtml((value || ''), true) + '"';
+        });
+      } else if (!allowedAttributesMap || has(allowedAttributesMap, name) || allowedAttributesMap['*']) {
         each(attribs, function(value, a) {
           if (!VALID_HTML_ATTRIBUTE_NAME.test(a)) {
             // This prevents part of an attribute name in the output from being
@@ -893,7 +900,8 @@ sanitizeHtml.defaults = {
   allowedSchemesAppliedToAttributes: [ 'href', 'src', 'cite' ],
   allowProtocolRelative: true,
   enforceHtmlBoundary: false,
-  parseStyleAttributes: true
+  parseStyleAttributes: true,
+  preserveEscapedAttributes: false
 };
 
 sanitizeHtml.simpleTransform = function(newTagName, newAttribs, merge) {
diff --git a/test/test.js b/test/test.js
index 9c87be3..7fa4767 100644
--- a/test/test.js
+++ b/test/test.js
@@ -1693,6 +1693,28 @@ describe('sanitizeHtml', function() {
       disallowedTagsMode: 'completelyDiscard'
     });
 
+    assert.equal(sanitizedHtml, expectedOutput);
+  });
+  it('should not preserve attributes on escaped disallowed tags when `preserveEscapedAttributes` is false', () => {
+    const inputHtml = '<div class="foo">Some Text</div>';
+    const expectedOutput = '&lt;div&gt;Some Text&lt;/div&gt;';
+    const sanitizedHtml = sanitizeHtml(inputHtml, {
+      allowedTags: [],
+      disallowedTagsMode: 'escape',
+      preserveEscapedAttributes: false
+    });
+
+    assert.equal(sanitizedHtml, expectedOutput);
+  });
+  it('should preserve attributes on escaped disallowed tags when `preserveEscapedAttributes` is true', () => {
+    const inputHtml = '<div class="foo">Some Text</div>';
+    const expectedOutput = '&lt;div class="foo"&gt;Some Text&lt;/div&gt;';
+    const sanitizedHtml = sanitizeHtml(inputHtml, {
+      allowedTags: [],
+      disallowedTagsMode: 'escape',
+      preserveEscapedAttributes: true
+    });
+
     assert.equal(sanitizedHtml, expectedOutput);
   });
 });