Symfony version(s) affected

7.1 (symfony/html-sanitizer)

Description

By default, allowSafeElements() treats <head> as a safe element (see line 139 of vendor/symfony/html-sanitizer/HtmlSanitizerConfig.php and line 47 of vendor/symfony/html-sanitizer/Reference/W3CReference.php).

When using allowSafeElements(), the <head> element is still being stripped from the sanitized HTML. It's also stripped if that method is used in conjunction with allowElement('head').

How to reproduce

use Symfony\Component\HtmlSanitizer\HtmlSanitizer;
use Symfony\Component\HtmlSanitizer\HtmlSanitizerConfig;

$config = (new HtmlSanitizerConfig)->allowSafeElements();

$html = '<!DOCTYPE html><html><head><title>Example</title></head><body><p>Example</p></body></html>';

echo (new HtmlSanitizer($config))->sanitize($html)

Expected output:

<html><head><title>Example</title><body><p>Example</p></body></html>

Actual output:

<html><body><p>Example</p></body></html>

Possible Solution

No response

Additional Context

No response