> it is still possible to inject area and map tags
This is the critical oversight - what would be the reason to not use a whitelist instead, or even custom tags instead of plain HTML? Most of the existing libraries for sanitizing html work like that.
This is the critical oversight - what would be the reason to not use a whitelist instead, or even custom tags instead of plain HTML? Most of the existing libraries for sanitizing html work like that.