Python : sys.version_info(major=3, minor=8, micro=3, releaselevel='final', serial=0)
lxml.etree : (4, 5, 2, 0)
libxml used : (2, 9, 10)
libxml compiled : (2, 9, 10)
libxslt used : (1, 1, 34)
libxslt compiled : (1, 1, 34)
The following script creates a form with a button with formaction which still allows XSS through when clicking the button.
```
from lxml.html.clean import Cleaner
cleaner = Cleaner(
forms=False,
safe_attrs_only=False,
)
cleaner.clean_html("""<form id="test"></form><button form="test" formaction="javascript:alert(1)">X</button>""")
```
However, this same kind of idea doesn't apply to action on the form which is somewhat equivalent:
```
In [1]: cleaner.clean_html("""<form id="test"></form><button form="test" formaction="javascript:alert(1)">X</button>""")
Out[1]: '<div><form id="test"></form><button form="test" formaction="javascript:alert(1)">X</button></div>'
In [2]: cleaner.clean_html("""<form id="test" action="javascript:alert(1)"></form><button form="test" type="submit">X</button>""")
Out[2]: '<div><form id="test" action=""></form><button form="test" type="submit">X</button></div>'
```
safe_attrs_only is an unsafe setting to disable but it seems to respect the javascript setting so I would argue that formaction should be added to the list of attributes that are removed by the javascript setting.
I believe the issue is that lxml isn't treating a button as a "link" and not running formaction through `doc.rewrite_
https:/
From there iterlinks() is called which doesn't see a button as a link.
I'm not sure if you would want to modify iterlinks() or add a special case for button in the clean function.