sanitize-html-browser.js

function sanitizeHtml(input) {
  if (typeof input !== 'string') return input;
  if (input.indexOf('<') === -1) return input;
  
  const div = document.createElement('div');
  div.innerHTML = input;
  div.querySelectorAll('script').forEach((el) => el.remove());
  div.querySelectorAll('style').forEach((el) => el.remove());
  div.querySelectorAll('*').forEach((el) => {
    const events = el.getAttributeNames().filter((a) => a.indexOf('on') === 0);
    events.forEach((e) => el.removeAttribute(e));
  });
  return div.innerHTML;
}

sanitize-html.js

import cheerio from 'cheerio';

export default (input) => {
  if (typeof input !== 'string') return input;
  if (input.indexOf('<') === -1) return input;
  
  const $ = cheerio.load(input || '');
  $('body script').remove();
  $('body style').remove();
  $('body *').map((i, x) => {
    const el = $(x);
    const events = Object.keys(el[0].attribs).filter((k) => k.indexOf('on') === 0);
    events.forEach((e) => el.removeAttr(e));
    return el;
  });
  return $('body').html();
};

test-cases.js

var input = '<div>this is a test <script>alert(1)</script></div>';
var expected = '<div>this is a test </div>';
console.log('test1', sanitizeHtml(input) === expected);

var input = '<div>this is a test <style></style></div>';
var expected = '<div>this is a test </div>';
console.log('test2', sanitizeHtml(input) === expected);

var input = '<div onmouseover="alert(1)">this is a test <img src=x onclick="alert(1)" /> too</div>';
var expected = '<div>this is a test <img src="x"> too</div>';
console.log('test3', sanitizeHtml(input) === expected);