Sanitizer: fix logic and add a test. (#35133)

This was broken in 2596c97 inadvertently.
Added a test so that we don't hit this in the future.

js/src/util/sanitizer.js

@@ -45,7 +45,7 @@ const allowedAttribute = (attribute, allowedAttributeList) => {
 
   // Check if a regular expression validates the attribute.
   return allowedAttributeList.filter(attributeRegex => attributeRegex instanceof RegExp)
-    .every(regex => regex.test(attributeName))
+    .some(regex => regex.test(attributeName))
 }
 
 export const DefaultAllowlist = {

js/tests/unit/util/sanitizer.spec.js

@@ -23,6 +23,31 @@ describe('Sanitizer', () => {
       expect(result).not.toContain('href="javascript:alert(7)')
     })
 
+    it('should sanitize template and work with multiple regex', () => {
+      const template = [
+        '<div>',
+        '  <a href="javascript:alert(7)" aria-label="This is a link" data-foo="bar">Click me</a>',
+        '  <span>Some content</span>',
+        '</div>'
+      ].join('')
+
+      const myDefaultAllowList = DefaultAllowlist
+      // With the default allow list
+      let result = sanitizeHtml(template, myDefaultAllowList, null)
+
+      // `data-foo` won't be present
+      expect(result).not.toContain('data-foo="bar"')
+
+      // Add the following regex too
+      myDefaultAllowList['*'].push(/^data-foo/)
+
+      result = sanitizeHtml(template, myDefaultAllowList, null)
+
+      expect(result).not.toContain('href="javascript:alert(7)') // This is in the default list
+      expect(result).toContain('aria-label="This is a link"') // This is in the default list
+      expect(result).toContain('data-foo="bar"') // We explicitly allow this
+    })
+
     it('should allow aria attributes and safe attributes', () => {
       const template = [
         '<div aria-pressed="true">',