Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Appearance settings

[HtmlSanitizer] Node renderer does not account for HTML5 void elements #46258

Copy link
Copy link
Closed
@omniError

Description

@omniError
Issue body actions

Symfony version(s) affected

6.1.0-beta2

Description

The render() method in the HtmlSanitizer's Visitor\Node\Node.php file incorrectly assumes that all elements with no content are self-closing (or void) elements. This can produce invalid HTML in the result.

How to reproduce

I discovered this because I was testing and found that strings containing Font Awesome icons were getting mangled. For example it may look something like: <i class="fas fa-thumbs-up"></i> where you can see that the i element has no content (it gets replaced later with the icon). What HtmlSanitizer is doing is treating it as a void element and returning <i class="fas fa-thumbs-up" /> which is both invalid HTML and something that Font Awesome cannot recognize.

Possible Solution

The problem is here: https://github.com/symfony/symfony/blob/6.1/src/Symfony/Component/HtmlSanitizer/Visitor/Node/Node.php#L60

This needs some sort of logic to check for HTML elements which are allowed to be void. In HTML5 these are:
['area', 'base', 'br', 'col', 'embed', 'hr', 'img', 'input', 'keygen', 'link', 'meta', 'param', 'source', 'track', 'wbr']
Everything else that has no children should get a closing tag instead.

Additional Context

No response

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions

      Morty Proxy This is a proxified and sanitized view of the page, visit original site.