I do not understand the license for this project. It looks like it is does not have a license, because I don’t believe that “copyright” is a license, an nothing like MIT or Apache 2 is mentioned.

License file is here: https://github.com/microcosm-cc/bluemonday/blob/main/LICENSE.md

BSD 3-clause: https://opensource.org/licenses/BSD-3-Clause

Must retain copyright info as per standard BSD 3-clause, and if reproduced in binary must also reproduce copyright info.

looks like it is does not have a license

Uses standard LICENSE.md

Shows the license on the right hand side of the Github page:

Reproduces the license at the top of all source files.

nothing like MIT or Apache 2 is mentioned

Because it's BSD 3-clause, which is also an approved OSI license.

I should add... if your company is allergic to BSD 3-clause and doesn't wish to reproduce the copyright notice according to the license, then I would be open to a discussion about dual-licensing for a fee but with no implied warranty. Given that I haven't done that before I would involve a lawyer so the fee would be above a hobby donation amount but below a new vendor contract approval - think low thousands $$$ to cover the costs of involving legal counsel to do this.

Thank you. It would be great if this was more cleary stated in the LICENCE file. The off-the-shelf BSD-3 clause does (to my eyes) make it clear that is BSD-3.

Regarding licences we are allowed to use, obviously MIT and Apache 2 are allowed. We're an OSS project, so we probably would not use a dependency that requires attribution, due to inconvenience and fear more that anything else.

Regardless, I believe for our use case, we can achive adaquate sandboxing using CSP and iframes.