Allowing strings as attribute while preventing malignous strings


In a current project, I need to let editors customize a name attribute for an element. It could potentially be a string with whitespace, so I’d rather not .urlize the value.

Is it possible to accommodate readable strings and still prevent JS injection (like onclick="function(console.log('you\'ve been scripted!')))? Not sure what I’m looking for here, possibly a function?

Editors would customize this name attribute pre or post hugo build?

pre hugo build!