Symfony version(s) affected

6.1.0-beta2

Description

The render() method in the HtmlSanitizer's Visitor\Node\Node.php file incorrectly assumes that all elements with no content are self-closing (or void) elements. This can produce invalid HTML in the result.

How to reproduce

I discovered this because I was testing and found that strings containing Font Awesome icons were getting mangled. For example it may look something like: <i class="fas fa-thumbs-up"></i> where you can see that the i element has no content (it gets replaced later with the icon). What HtmlSanitizer is doing is treating it as a void element and returning <i class="fas fa-thumbs-up" /> which is both invalid HTML and something that Font Awesome cannot recognize.

Possible Solution

The problem is here: https://github.com/symfony/symfony/blob/6.1/src/Symfony/Component/HtmlSanitizer/Visitor/Node/Node.php#L60

This needs some sort of logic to check for HTML elements which are allowed to be void. In HTML5 these are:
['area', 'base', 'br', 'col', 'embed', 'hr', 'img', 'input', 'keygen', 'link', 'meta', 'param', 'source', 'track', 'wbr']
Everything else that has no children should get a closing tag instead.

Additional Context

No response