lib/sanitize/transformers/clean_element.rb in sanitize-5.2.2 vs lib/sanitize/transformers/clean_element.rb in sanitize-5.2.3

@@ -118,21 +118,18 @@
       # Delete any attribute that isn't allowed on this element.
       node.attribute_nodes.each do |attr|
         attr_name = attr.name.downcase
 
         unless attr_allowlist.include?(attr_name)
-          # The attribute isn't allowed.
+          # The attribute isn't in the allowlist, but may still be allowed if
+          # it's a data attribute.
 
-          if allow_data_attributes && attr_name.start_with?('data-')
-            # Arbitrary data attributes are allowed. If this is a data
-            # attribute, continue.
-            next if attr_name =~ REGEX_DATA_ATTR
+          unless allow_data_attributes && attr_name.start_with?('data-') && attr_name =~ REGEX_DATA_ATTR
+            # Either the attribute isn't a data attribute or arbitrary data
+            # attributes aren't allowed. Remove the attribute.
+            attr.unlink
+            next
           end
-
-          # Either the attribute isn't a data attribute or arbitrary data
-          # attributes aren't allowed. Remove the attribute.
-          attr.unlink
-          next
         end
 
         # The attribute is allowed.
 
         # Remove any attributes that use unacceptable protocols.