Use custom safe tags also for continuation.

Text/HTML/SanitizeXSS.hs

@@ -34,7 +34,7 @@ import Network.URI ( parseURIReference, URI (..),
                      isAllowedInURI, escapeURIString, uriScheme )
 import Codec.Binary.UTF8.String ( encodeString )
 
-import Data.Maybe (catMaybes)
+import Data.Maybe (mapMaybe)
 
 
 -- | Sanitize HTML to prevent XSS attacks.  This is equivalent to @filterTags safeTags@.
@@ -88,14 +88,14 @@ safeTags = mySafeTags safeTagName sanitizeAttribute
 mySafeTags :: (Text -> Bool) -> ((Text, Text) -> Maybe (Text, Text)) ->
               [Tag Text] -> [Tag Text]
 mySafeTags _ _ [] = []
-mySafeTags safeName _ (t@(TagClose name):tags)
+mySafeTags safeName sanitizeAttr (t@(TagClose name):tags)
-    | safeName name = t : safeTags tags
+    | safeName name = t : mySafeTags safeName sanitizeAttr tags
-    | otherwise = safeTags tags
+    | otherwise = mySafeTags safeName sanitizeAttr tags
 mySafeTags safeName sanitizeAttr (TagOpen name attributes:tags)
-  | safeName name = TagOpen name
+  | safeName name = TagOpen name (mapMaybe sanitizeAttr attributes) :
-      (catMaybes $ map sanitizeAttr attributes) : safeTags tags
+      mySafeTags safeName sanitizeAttr tags
-  | otherwise = safeTags tags
+  | otherwise = mySafeTags safeName sanitizeAttr tags
-mySafeTags _ _ (t:tags) = t:safeTags tags
+mySafeTags n a (t:tags) = t : mySafeTags n a tags
 
 safeTagName :: Text -> Bool
 safeTagName tagname = tagname `member` sanitaryTags