remove disallowed elements from VOID_ELEMENTS

and remove elements that libxml2 doesn't consider void (like `col`)

this list is descriptive, not prescriptive -- and is used only for
testing tags in ACCEPTABLE_ELEMENTS.

CHANGELOG.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## next / unreleased
+
+### Changes
+
+* Deprecating `Loofah::HTML5::SafeList::VOID_ELEMENTS` which is not a canonical list of void HTML4 or HTML5 elements.
+* Removed some elements from `Loofah::HTML5::SafeList::VOID_ELEMENTS` that either are not acceptable elements or aren't considered "void" by libxml2.
+
+
 ## 2.10.0 / 2021-06-06
 
 ### Features

lib/loofah/html5/safelist.rb

@@ -788,18 +788,14 @@ module SafeList
       ALLOWED_PROTOCOLS = ACCEPTABLE_PROTOCOLS
       ALLOWED_URI_DATA_MEDIATYPES = ACCEPTABLE_URI_DATA_MEDIATYPES
 
+      # TODO: remove VOID_ELEMENTS in a future major release
+      # and put it in the tests (it is used only for testing, not for functional behavior)
       VOID_ELEMENTS = Set.new([
                                 "area",
-                                "base",
                                 "br",
-                                "col",
-                                "embed",
                                 "hr",
                                 "img",
                                 "input",
-                                "link",
-                                "meta",
-                                "param",
                               ])
 
       # additional tags we should consider safe since we have libxml2 fixing up our documents.

test/html5/test_sanitizer.rb

@@ -68,6 +68,12 @@ def assert_completes_in_reasonable_time(&block)
     end
   end
 
+  HTML5::SafeList::VOID_ELEMENTS.each do |tag_name|
+    define_method "test_void_#{tag_name}_is_in_allowed_list" do
+      assert_includes(HTML5::SafeList::ALLOWED_ELEMENTS, tag_name)
+    end
+  end
+
   ##
   ##  libxml2 downcases elements, so this is moot.
   ##