JS to kill hard-coded inline event listeners.

event_killer.html

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<title>Kill Inline Events</title>
<style>

* {
  font-family: sans-serif;
  line-height: 1.5;
}

span {
  background: #ff0;
}

a {
  color: #06c;
}

a:hover {
  color: #c60;
}

</style>
</head>
<body>
<p>
  The JS in this page kills all hard-coded inline event listeners.<br />
  This script was written to help when cleansing user generated input,<br />
  such as from TinyMCE, which can kill &lt;script&gt; but not attributes.
</p>
<p>
  <b>Clicking or hovering over yellow text should do nothing&hellip;</b>
</p>
<p>
  <span onclick="alert('CLICK!')" onmouseover="alert('MOUSEOVER!')" onmouseout="alert('MOUSEOUT!')">
    I started with onclick, onmouseover, onmouseout.
  </span>
<p>
<p>
  <span onclick="alert('CLICK!')" onmouseover="alert('MOUSEOVER!')" onmouseout="alert('MOUSEOUT!')">
    I started with onclick, onmouseover, onmouseout.
  </span>
<p>
<p>
  <span onclick="alert('CLICK!')" onmouseover="alert('MOUSEOVER!')" onmouseout="alert('MOUSEOUT!')">
    I started with onclick, onmouseover, onmouseout.
  </span>
<p>
<p>
  Example:<br />
  <a href="http://host.sonspring.com/_misc/event_killer.html">http://host.sonspring.com/_misc/event_killer.html</a>
</p>
<p>
  Code:<br />
  <a href="https://gist.github.com/992071">https://gist.github.com/992071</a>
</p>
<script>
(function(d) {
  var tags = d.body.getElementsByTagName('*');
  var i = tags.length;

  while (i--) {
    var attr = tags[i].attributes;
    var ii = attr.length;

    while (ii--) {
      if (attr[ii].name.match(/^on/i)) {
        tags[i][attr[ii].name] = null;
      }
    }
  }
})(this.document);
</script>
</body>
</html>