Sanitise specific HTML attribute values against XSS

We want to implement a "safe mode" in a Markdown parser called Parsedown. We have a MarkupEscaped option that disables HTML, but this is not enough. In order to be safe, the parser needs to sanitise user generated attribute values.

These are the:

• href and title attributes of a tags.


• src and title attributes of img tags.

How should we go about it?