Yesod uses xss-sanitize [0], and their sanitize function does indeed prevent "javascript:" attempts. They even have a test case for it [1].
Playing around with it in the REPL:
Prelude Text.HTML.SanitizeXSS Data.Text> sanitize $ pack "<IMG SRC=javascript:alert('XSS')>" "<img>" Prelude Text.HTML.SanitizeXSS Data.Text> sanitize $ pack "<IMG SRC=\"javascript:alert('XSS')\">" "<img>" Prelude Text.HTML.SanitizeXSS Data.Text> sanitize $ pack "<IMG SRC=fine>" "<img src=\"fine\">" Prelude Text.HTML.SanitizeXSS Data.Text> sanitize $ pack "<IMG SRC=\"this is ok too\">" "<img src=\"this is ok too\">"
[1]: https://github.com/yesodweb/haskell-xss-sanitize/blob/9a9101...
Yesod uses xss-sanitize [0], and their sanitize function does indeed prevent "javascript:" attempts. They even have a test case for it [1].
Playing around with it in the REPL:
[0]: https://hackage.haskell.org/package/xss-sanitize[1]: https://github.com/yesodweb/haskell-xss-sanitize/blob/9a9101...