diff --git a/lib/xss.js b/lib/xss.js
index 33181960..3e58434a 100644
--- a/lib/xss.js
+++ b/lib/xss.js
@@ -205,19 +205,6 @@ const badAttrs = new RegExp([
     "\\baction"
 ].join("|"), "i");
 
-/* These are things commonly used in the values of HTML attributes of
-   XSS injections.  Go ahead and strip them, they don't have any other
-   use besides javascript
-*/
-const badAttrValues = new RegExp([
-    "alert",
-    "document.cookie",
-    "expression",
-    "javascript",
-    "location",
-    "window"
-].join("|"), "ig");
-
 function sanitizeHTML(str) {
     var i = str.indexOf("<");
     if (i === -1) {
@@ -248,9 +235,8 @@ function sanitizeHTML(str) {
             if (k.match(badAttrs)) {
                 delete t.attributes[k];
             } else {
-                if (t.attributes[k].match(badAttrValues)) {
-                    // As above, replacing with a nonempty string is important.
-                    t.attributes[k] = t.attributes[k].replace(badAttrValues, "[removed]");
+                if (t.attributes[k].replace(/\s/g, "").indexOf("javascript:") !== -1) {
+                    t.attributes[k] = "[removed]";
                 }
 
             }