const BLOCKED_TAG_PATTERN = /<\/?(script|style|iframe|object|embed|link|meta|base|form|input|button|textarea|select)[^>]*>/gi
const EVENT_HANDLER_PATTERN = /\son[a-z]+\s*=\s*(['"]).*?\1/gi
const JS_PROTOCOL_PATTERN = /\s(href|src)\s*=\s*(['"])\s*javascript:[^'"]*\2/gi

function sanitizeHtml(input) {
    if (input === null || input === undefined) return ''
    let html = String(input)

    html = html.replace(BLOCKED_TAG_PATTERN, '')
    html = html.replace(EVENT_HANDLER_PATTERN, '')
    html = html.replace(JS_PROTOCOL_PATTERN, ' $1="#"')

    return html.trim()
}

module.exports = { sanitizeHtml }