feat: single-quoted attribute value syntax support

[mdk000]

Hi @leizongmin!

First of all thank you for creating this package. We have been using it for sanitizing html and put it inside JSON files. It can be done in two ways:

• { "html": "<a href=\"#\">Hello</a>" }
• { "html": "<a href='#'>Hello</a>" }

but the default config output is:

• { "html": "<a href="#">Hello</a>" }

We would like to use default config and don't create any custom rules via safeAttrValue or onIgnoreTagAttr, but we need to have single-quoted attribute value syntax for sanitized output. Accodring to whatwg spec, single quoted approach is also valid and supports values containing whitespaces.

I've created a PR. Now it's available use new quotedAttributeValueSyntax config option. Default behaviour left intact so changes can be treated as enhancement.

Let me know what you think

[leizongmin]

Hi, @mdk000 . Thanks for you PR.

I think it might be better to change quotedAttributeValueSyntax: 'single' | 'double' to singleQuotedAttributeValue: true | false. Only when singleQuotedAttributeValue is set to true, the attribute values will be wrapped in single quotes. If singleQuotedAttributeValue is not set or set to false, the attribute values will be wrapped in double quotes as usual.

[mdk000]

@leizongmin thanks for suggestion, I've corrected it, please check

When do you plan to release new version with this feature?

[leizongmin]

@mdk000 I just merged this MR and released a new version xss@1.0.15.

[mdk000]

@leizongmin awesome! thanks