Merge pull request #213 from flavorjones/flavorjones-allow-wbr-element

allow HTML5 element `wbr`
flavorjones · Jul 31, 2021 · 78712b5 · 78712b5
2 parents bf355a1 + c490da0
commit 78712b5
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 6 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,18 @@
 # Changelog
 
+## next / unreleased
+
+### Features
+
+* Allow HTML5 element `wbr`.
+
+
+### Changes
+
+* Deprecating `Loofah::HTML5::SafeList::VOID_ELEMENTS` which is not a canonical list of void HTML4 or HTML5 elements.
+* Removed some elements from `Loofah::HTML5::SafeList::VOID_ELEMENTS` that either are not acceptable elements or aren't considered "void" by libxml2.
+
+
 ## 2.10.0 / 2021-06-06
 
 ### Features

diff --git a/lib/loofah/html5/safelist.rb b/lib/loofah/html5/safelist.rb
@@ -140,6 +140,7 @@ module SafeList
                                       "ul",
                                       "var",
                                       "video",
+                                      "wbr",
                                     ])
 
       MATHML_ELEMENTS = Set.new([
@@ -788,18 +789,14 @@ module SafeList
       ALLOWED_PROTOCOLS = ACCEPTABLE_PROTOCOLS
       ALLOWED_URI_DATA_MEDIATYPES = ACCEPTABLE_URI_DATA_MEDIATYPES
 
+      # TODO: remove VOID_ELEMENTS in a future major release
+      # and put it in the tests (it is used only for testing, not for functional behavior)
       VOID_ELEMENTS = Set.new([
                                 "area",
-                                "base",
                                 "br",
-                                "col",
-                                "embed",
                                 "hr",
                                 "img",
                                 "input",
-                                "link",
-                                "meta",
-                                "param",
                               ])
 
       # additional tags we should consider safe since we have libxml2 fixing up our documents.

diff --git a/test/html5/test_sanitizer.rb b/test/html5/test_sanitizer.rb
@@ -68,6 +68,12 @@ def assert_completes_in_reasonable_time(&block)
     end
   end
 
+  HTML5::SafeList::VOID_ELEMENTS.each do |tag_name|
+    define_method "test_void_#{tag_name}_is_in_allowed_list" do
+      assert_includes(HTML5::SafeList::ALLOWED_ELEMENTS, tag_name)
+    end
+  end
+
   ##
   ##  libxml2 downcases elements, so this is moot.
   ##