protected function doNeverAllowed($str)
{
$never = ['document.cookie' => '[removed]', 'document.write' => '[removed]', '.parentNode' => '[removed]', '.innerHTML' => '[removed]', '-moz-binding' => '[removed]', '<!--' => '<!--', '-->' => '-->', '<![CDATA[' => '<![CDATA[', '<comment>' => '<comment>'];
$str = str_replace(array_keys($never), $never, $str);
$regex = ['javascript\\s*:', '(document|(document\\.)?window)\\.(location|on\\w*)', 'expression\\s*(\\(|&\\#40;)', 'vbscript\\s*:', 'wscript\\s*:', 'jscript\\s*:', 'vbs\\s*:', 'Redirect\\s+30\\d', "([\"'])?data\\s*:[^\\1]*?base64[^\\1]*?,[^\\1]*?\\1?"];
foreach ($regex as $val) {
$str = preg_replace('#' . $val . '#is', '[removed]', $str);
}
return $str;
}