File tree 2 files changed +32
-3
lines changed
src/Symfony/Component/HtmlSanitizer
2 files changed +32
-3
lines changed Original file line number Diff line number Diff line change @@ -237,16 +237,21 @@ public function provideSanitizeBody()
237237 ],
238238 [
239239 '<BODY BACKGROUND="javascript:alert( \'XSS \')"> ' ,
240- '<body / > ' ,
240+ '<body></body > ' ,
241241 ],
242242 [
243243 '<BGSOUND SRC="javascript:alert( \'XSS \');"> ' ,
244- '<bgsound / > ' ,
244+ '<bgsound></bgsound > ' ,
245245 ],
246246 [
247247 '<BR SIZE="&{alert( \'XSS \')}"> ' ,
248248 '<br size="&{alert('XSS')}" /> ' ,
249249 ],
250+ [
251+ '<BR></br> ' ,
252+ '<br /><br /> ' ,
253+ ],
254+
250255 [
251256 '<OBJECT TYPE="text/x-scriptlet" DATA="http://xss.rocks/scriptlet.html"></OBJECT> ' ,
252257 '' ,
@@ -445,6 +450,11 @@ public function provideSanitizeBody()
445450 '<i>Lorem ipsum</i> ' ,
446451 '<i>Lorem ipsum</i> ' ,
447452 ],
453+ [
454+ '<i></i> ' ,
455+ '<i></i> ' ,
456+ ],
457+
448458 [
449459 '<li>Lorem ipsum</li> ' ,
450460 '<li>Lorem ipsum</li> ' ,
Original file line number Diff line number Diff line change 2020 */
2121final class Node implements NodeInterface
2222{
23+ // HTML5 elements which are self-closing
24+ private const VOID_ELEMENTS = [
25+ 'area ' => true ,
26+ 'base ' => true ,
27+ 'br ' => true ,
28+ 'col ' => true ,
29+ 'embed ' => true ,
30+ 'hr ' => true ,
31+ 'img ' => true ,
32+ 'input ' => true ,
33+ 'keygen ' => true ,
34+ 'link ' => true ,
35+ 'meta ' => true ,
36+ 'param ' => true ,
37+ 'source ' => true ,
38+ 'track ' => true ,
39+ 'wbr ' => true ,
40+ ];
41+
2342 private NodeInterface $ parent
2443 private string $ tagName
2544 private array $ attributes
@@ -56,7 +75,7 @@ public function addChild(NodeInterface $node): void
5675
5776 public function render (): string
5877 {
59- if (! $ this children ) {
78+ if (isset ( self :: VOID_ELEMENTS [ $ this tagName ]) ) {
6079 return '< ' .$ this tagName .$ this renderAttributes ().' /> ' ;
6180 }
6281
You can’t perform that action at this time.
0 commit comments