righ/escape.js

## escape.js
const deniedTagCondition = /^<\/?(script|style|link|iframe|embed|object|html|head|meta|body|form|input|button)/i
const deniedAttrCondition = /^(on.+|style|href|action|id|class|data-.*)/i

const escape = (txt) => {
  if (txt.match(deniedTagCondition) || txt.indexOf('<!') === 0 || txt.indexOf('<?') === 0 || txt.indexOf('<\\') === 0) { return '' }
  if (txt.indexOf('</') === 0) { return txt }
  let outer = document.createElement('div')
  outer.innerHTML = txt
  let el = outer.querySelector('*')
  if (!el) {return ''}
  let attrs = []
  el.getAttributeNames().map(attr => {
    if (attr.match(deniedAttrCondition)) {
      el.removeAttribute(attr)
      return
    }
    attrs.push(`${attr}="${el.getAttribute(attr)}1"`)
  })
  return `<${el.tagName} ${attrs.join(' ')}>`
}


## marked_safe.html
<html>
<head>
<meta charset="UTF-8" />
<style>
#editor {width: 100%; height: 200px;}
#viewer {min-height: 100px; width: 100%; background-color: #eef; margin-top: 10px; padding:10px}
</style>
</head>
<body>
<textarea id="editor" placeholder="タグを含む文字列を入力してみてください"></textarea>
<button onclick="document.querySelector('#viewer').innerHTML = marked(document.querySelector('#editor').value)">Render</button>
<div id="viewer"></div>
<script src="https://cdnjs.cloudflare.com/ajax/libs/marked/0.4.0/marked.min.js"></script>
<script src="./escape.js"></script>
<script>
marked.setOptions({
  breaks: true,
  sanitize: true,
  sanitizer: escape,
});
</script>
</body>
</html>

## marked_unsafe.html
<html>
<head>
<meta charset="UTF-8" />
<style>
#editor {width: 100%; height: 200px;}
#viewer {min-height: 100px; width: 100%; background-color: #eef; margin-top: 10px; padding:10px}
</style>
</head>
<body>
<textarea id="editor" placeholder="タグを含む文字列を入力してみてください"></textarea>
<button onclick="document.querySelector('#viewer').innerHTML = marked(document.querySelector('#editor').value)">Render</button>
<div id="viewer"></div>
<script src="https://cdnjs.cloudflare.com/ajax/libs/marked/0.4.0/marked.min.js"></script>
</body>
</html>
	const deniedTagCondition = /^<\/?(script\|style\|link\|iframe\|embed\|object\|html\|head\|meta\|body\|form\|input\|button)/i
	const deniedAttrCondition = /^(on.+\|style\|href\|action\|id\|class\|data-.*)/i

	const escape = (txt) => {
	if (txt.match(deniedTagCondition) \|\| txt.indexOf('<!') === 0 \|\| txt.indexOf('<?') === 0 \|\| txt.indexOf('<\\') === 0) { return '' }
	if (txt.indexOf('</') === 0) { return txt }
	let outer = document.createElement('div')
	outer.innerHTML = txt
	let el = outer.querySelector('*')
	if (!el) {return ''}
	let attrs = []
	el.getAttributeNames().map(attr => {
	if (attr.match(deniedAttrCondition)) {
	el.removeAttribute(attr)
	return
	}
	attrs.push(`${attr}="${el.getAttribute(attr)}1"`)
	})
	return `<${el.tagName} ${attrs.join(' ')}>`
	}
	<html>
	<head>
	<meta charset="UTF-8" />
	<style>
	#editor {width: 100%; height: 200px;}
	#viewer {min-height: 100px; width: 100%; background-color: #eef; margin-top: 10px; padding:10px}
	</style>
	</head>
	<body>
	<textarea id="editor" placeholder="タグを含む文字列を入力してみてください"></textarea>
	<button onclick="document.querySelector('#viewer').innerHTML = marked(document.querySelector('#editor').value)">Render</button>
	<div id="viewer"></div>
	<script src="https://cdnjs.cloudflare.com/ajax/libs/marked/0.4.0/marked.min.js"></script>
	<script src="./escape.js"></script>
	<script>
	marked.setOptions({
	breaks: true,
	sanitize: true,
	sanitizer: escape,
	});
	</script>
	</body>
	</html>