issue 40: <span> that are dropped because they lack attributes lead to the wrong </span> tag being dropped

Author: mikesamuel

src/main/java/org/owasp/html/ElementAndAttributePolicyBasedSanitizerPolicy.java

@@ -182,7 +182,7 @@ void writeOpenTag(
  }
 
  void deferOpenTag(String elementName) {
- if (HtmlTextEscapingMode.isVoidElement(elementName)) {
+ if (!HtmlTextEscapingMode.isVoidElement(elementName)) {
  openElementStack.add(elementName);
  openElementStack.add(null);
  }

src/test/java/org/owasp/html/HtmlSanitizerTest.java

@@ -341,6 +341,22 @@ public static final void testScriptInIframe() {
  + "</iframe>"));
  }
 
+ @Test
+ public static final void testBalancingOfEmptyTags() {
+ assertEquals(
+ "<span style=\"color:rgb( 72 , 72 , 72 );font-family:&#39;helveticaneue&#39;\">"
+ + " "
+ + "my \u00A0"
+ + " list of style names or a "
+ + "</span>",
+ sanitize(
+ "<span style=\"color:rgb(72, 72, 72); font-family:helveticaneue\">"
+ + " "
+ + "<span>my &nbsp;</span>"
+ + " list of style names or a "
+ + "</span>"));
+ }
+
  private static String sanitize(@Nullable String html) {
  StringBuilder sb = new StringBuilder();
  HtmlStreamRenderer renderer = HtmlStreamRenderer.create(
@@ -373,6 +389,7 @@ public String apply(
  }
  })
  .globally()
+ .allowStyling()
  // Don't throw out useless <img> and <input> elements to ease debugging.
  .allowWithoutAttributes("img", "input")
  .build(renderer);