Fixing up javascript cleanup on safeHtml

src/app/helpers/safe-html.pipe.ts

@@ -9,10 +9,16 @@ export class SafeHtmlPipe implements PipeTransform {
 
   transform(value: any, args?: any): any {
     // Allow html, disallow scripts, onclick, etc.
+    // if appears "script" tag, remove it and all following characters (to avoid XSS)
     value = value.replace(/<\s*script\s*/gi, '');
     // Remove if exists any javascript event
     // eslint-disable-next-line max-len
-    value = value.replace(/onclick|onmouseover|onmouseout|onmousemove|onmouseenter|onmouseleave|onmouseup|onmousedown|onkeyup|onkeydown|onkeypress|onkeydown|onkeypress|onkeyup|onchange|onfocus|onblur|onload|onunload|onabort|onerror|onresize|onscroll/gi, '');
+    // Remove all events: 'onclick', 'onmouseover', 'onmouseout',
+    // 'onmousemove', 'onmouseenter', 'onmouseleave', 'onmouseup', 
+    // 'onmousedown', 'onkeyup', 'onkeydown', 'onkeypress', 'onkeydown',
+    // 'onkeypress', 'onkeyup', 'onchange', 'onfocus', 'onblur', 'onload', 'onunload', 'onabort', 'onerror', 'onresize', 'onscroll'
+    value = value.replace(/on\w+\s*=\s*['"]?[^'"]*['"]?/gi, '');
+
     // Remove if exists any javascript: reference
     value = value.replace(/javascript\s*\:/gi, '');