If you don't know how data- attributes are being used, then you should
not white list them.
data- attributes from which URL attributes can still be passed
javascript: URLs which might allow arbitrary JS execution.
> --
> You received this message because you are subscribed to the Google Groups
> "OWASP Java HTML Sanitizer Support" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to owasp-java-html-saniti...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.