I want to disallow some attrs on elements, How to do

Attributes are disallowed by default, therefore, what you are actually going to have to do is enable them specifically. If you can add some details to your question, I'll try to add more information.

@clarencefoy is correct... the approach bluemonday takes is to default deny everything... and then to selectively allow what you want to allow.

@Lolioy I'm going to guess that you're using UGCPolicy() which is defined in policies.go. Feel free to copy that func into your own code base (no need to fork this repo, etc) and then remove from that anything you didn't want to allow.

The UGCPolicy is there to provide a safe example that works well in the majority of cases, but it's not a perfect fit for everyone in which case use it as an example of how to build a policy that works perfectly for you.