Description
Symfony version(s) affected
6.1.0-beta2
Description
The render()
method in the HtmlSanitizer's Visitor\Node\Node.php file incorrectly assumes that all elements with no content are self-closing (or void) elements. This can produce invalid HTML in the result.
How to reproduce
I discovered this because I was testing and found that strings containing Font Awesome icons were getting mangled. For example it may look something like: <i class="fas fa-thumbs-up"></i>
where you can see that the i
element has no content (it gets replaced later with the icon). What HtmlSanitizer is doing is treating it as a void element and returning <i class="fas fa-thumbs-up" />
which is both invalid HTML and something that Font Awesome cannot recognize.
Possible Solution
The problem is here: https://github.com/symfony/symfony/blob/6.1/src/Symfony/Component/HtmlSanitizer/Visitor/Node/Node.php#L60
This needs some sort of logic to check for HTML elements which are allowed to be void. In HTML5 these are:
['area', 'base', 'br', 'col', 'embed', 'hr', 'img', 'input', 'keygen', 'link', 'meta', 'param', 'source', 'track', 'wbr']
Everything else that has no children should get a closing tag instead.
Additional Context
No response