/**
 * Sanitizes HTML content by removing dangerous attributes and tags.
 * This is used to comply with CSP policies and prevent XSS.
 */
export function sanitizeHTML(html: string): string {
    if (!html) return '';

    // 1. Remove script tags completely
    let sanitized = html.replace(/<script[^>]*>[\s\S]*?<\/script>/gi, '');

    // 2. Remove all "on*" event handler attributes (onclick, onload, etc.)
    // This handles attributes like onclick="alert(1)" or onclick='alert(1)' or onclick=alert(1)
    sanitized = sanitized.replace(/\s+on\w+\s*=\s*(?:'[^']*'|"[^"]*"|[^\s>]+)/gi, '');

    // 3. Remove "javascript:" pseudo-protocols in href or src
    sanitized = sanitized.replace(/(href|src)\s*=\s*(?:'javascript:[^']*'|"javascript:[^"]*"|javascript:[^\s>]+)/gi, '$1="#"');

    // 4. Remove <style> tags (to comply with style-src)
    sanitized = sanitized.replace(/<style[^>]*>[\s\S]*?<\/style>/gi, '');

    // 5. Remove meta and link tags (except for purely visual ones if needed, but safer to remove)
    sanitized = sanitized.replace(/<(meta|link|iframe|object|embed|applet)[^>]*>/gi, '');

    // 6. Explicitly remove <a> tags to prevent HTML injection of links (VAPT compliance)
    sanitized = sanitized.replace(/<a[^>]*>([\s\S]*?)<\/a>/gi, '$1');

    return sanitized;
}