Can I disallow only one Attribute?

[ivanjeremic]

For now, I need to write out all existing Attributes in the world and let only the one which I don't allow out, but is there a way to specifically say don't allow onclick= for example but allow everything else?

[boutell]

There is not. We don't do this because there are so many attributes that can be used to insert javascript that it's difficult to see how we would be "sanitizing" anything if we only had a disallow policy. Open to hearing though about a situation in which this would not defeat the purpose of using the module.