diff --git a/index.js b/index.js
index 699cb68..557bb62 100644
--- a/index.js
+++ b/index.js
@@ -31,6 +31,8 @@ var defaultWhiteList = {
   td:     ['style', 'class', 'width', 'colspan'],
   th:     ['style', 'class', 'width', 'colspan'],
   tbody:  ['style', 'class'],
+  ul:     ['style', 'class'],
+  li:     ['style', 'class'],
 };
 
 /**
@@ -38,9 +40,19 @@ var defaultWhiteList = {
  */
 var defaultOnTagAttr = function (tag, attr, value) {
   if (attr === 'href' || attr === 'src') {
-    if (/^[\s"'`]*j\s*a\s*v\s*a\s*s\s*c\s*r\s*i\s*p\s*t\s*:/ig.test(value)) {
+    if (/\/\*|\*\//mg.test(value)) {
       return '#';
     }
+    if (/^[\s"'`]*((j\s*a\s*v\s*a|v\s*b|l\s*i\s*v\s*e)\s*s\s*c\s*r\s*i\s*p\s*t\s*|m\s*o\s*c\s*h\s*a):/ig.test(value)) {
+      return '#';
+    }
+  } else if (attr === 'style') {
+    if (/\/\*|\*\//mg.test(value)) {
+      return '#';
+    }
+    if (/((j\s*a\s*v\s*a|v\s*b|l\s*i\s*v\s*e)\s*s\s*c\s*r\s*i\s*p\s*t\s*|m\s*o\s*c\s*h\s*a):/ig.test(value)) {
+      return '';
+    }
   }
 };
 
diff --git a/test/test_xss.js b/test/test_xss.js
index f8fab35..c45ba45 100644
--- a/test/test_xss.js
+++ b/test/test_xss.js
@@ -132,6 +132,28 @@ describe('test XSS', function () {
     assert.equal(xss('<SCRIPT SRC=//ha.ckers.org/.j'),
         '&lt;SCRIPT SRC=//ha.ckers.org/.j');
 
+    assert.equal(xss('<IMG SRC="javascript:alert(\'XSS\')"'),
+        '&lt;IMG SRC=\"javascript:alert(\'XSS\')"');
+
+    assert.equal(xss('<iframe src=http://ha.ckers.org/scriptlet.html <'),
+        '&lt;iframe src=http://ha.ckers.org/scriptlet.html &lt;');
+
+    assert.equal(xss('<a style="url(\'javascript:alert(1)\')">'), '<a style>');
+
+    assert.equal(xss('<IMG SRC=\'vbscript:msgbox("XSS")\'>'), '<img src="#">');
+
+    assert.equal(xss('<IMG SRC="livescript:[code]">'), '<img src="#">');
+
+    assert.equal(xss('<IMG SRC="mocha:[code]">'), '<img src="#">');
+
+    assert.equal(xss('<a href="javas/**/cript:alert(\'XSS\');">'), '<a href="#">');
+
+    // 这个暂时不知道怎么处理
+    //assert.equal(xss('¼script¾alert(¢XSS¢)¼/script¾'), '');
+
+    assert.equal(xss('<!--[if gte IE 4]><SCRIPT>alert(\'XSS\');</SCRIPT><![endif]-->'),
+        '&lt;!--[if gte IE 4]&gt;&lt;SCRIPT&gt;alert(\'XSS\');&lt;/SCRIPT&gt;&lt;![endif]--&gt;');
+
   });
 
 });