'<script>alert(1)</script>' ==
sanitizeHtml(
    '<script>alert(1)</script>',
    { allowedTags: null });

'<script>alert(1)</script>' ==
sanitizeHtml(
    '<script>alert(1)</script>',
    { allowedTags: undefined });

The docs say

"What if I want to allow all tags or all attributes?"

Simple! instead of leaving allowedTags or allowedAttributes out of the options, set either one or both to false:

allowedTags: false,
allowedAttributes: false

The internal check checks whether allowedTags is falsey, not false.

Treating null equivalently to false is problematic since null is
much more likely as an output from a function that otherwise
returns an array than false, so treating null and undefined
as equivalent to false is a corner-case with very serious security consequences.

For example,

const MY_POLICY = {
  allowedTags: computeAllowedTags()
};

function computeAllowedTags() {
  if (complexCondition) {
    return INLINE_ELEMENTS;
  } else if (anotherComplexCondition) {
    return BLOCK_AND_INLINE_ELEMENTS;
  } else if (adNauseam) {
    return FORMATTING_ELEMENTS_AND_IMAGES;
  }
  // NOTE: Missing return at bottom implies return of undefined
}

Since the behavior for undefined and null, 0, NaN, "" and other falsey values is not documented, I recommend either

• changing the code that fils in blanks:

  options = extend(sanitizeHtml.defaults, options);

  to first remove any properties with falsey, but non-false values.
• and/or change the falsey checks

  if (options.allowedTags && options.allowedTags.indexOf(name) === -1) {

  to check for false:

  if (options.allowedTags !== false
      && (options.allowedTags || []).indexOf(name) === -1) {

  and similarly for allowedAttributes.