Possible bugs[edit]

It appears that the html5 builder strips comments from inline style attributes. A parsed token with "/* insecure input */" value for the style key comes out as style="" when HTML is generated. To investigate if this is a bug in HTML5, or if the HTML5 spec dictates this. In either case, we need a fix for this so sanitized attributes can get round-tripped properly. If a bug in HTML5, we report a bug @ https://github.com/aredridel/html5. If not, we fix the sanitizer code to not emit inline comments. Try the following command to test:
- echo '<pre style="border-width: expression(alert(document.cookie));">foo</pre>' | node parse.js | sed 's/"/"/g;'