I've found a test case that does not sanitize correctly. I've done a preliminary investigation to see if I could contribute a fix, but it doesn't seem like a simple case.

The golang html page is providing the html.Attribute as key="src", val="onmouseover="alert('xxs')"".

{
  in:              `<IMG SRC= onmouseover="alert('xxs')">`,
  expected: ``,
},

Here is the output

        input   : <IMG SRC= onmouseover="alert('xxs')">
        output  : <img src="onmouseover=%22alert%28%27xxs%27%29%22">
        expected: 

Happy to try to contribute a fix but I'm a bit short of ideas, I contemplated trying to re-parse attribute values to identify any nested attributes due to this type of input. Not sure how I'd go about re-parsing just attributes, it doesn't seem like it's something supported in the html package?

I've done a bit more digging, I've just found the func (p *Policy) validURL(rawurl string) (string, bool) method, in here, it is being treated as a relative URL.