fix(sanitize): Do not duplicate self closing elements

For HTML self closing elements:
* Do not create an end element
* Create the element as self closed

Author: lgalfaso

src/ngSanitize/sanitize.js

@@ -189,6 +189,9 @@ var svgElements = toMap("circle,defs,desc,ellipse,font-face,font-face-name,font-
 // Special Elements (can contain anything)
 var specialElements = toMap("script,style");
 
+var selfClosingElements = toMap("area,base,br,col,command,embed,hr,img,input,keygen,link,meta,param,source," +
+        "track,wbr");
+
 var validElements = angular.extend({},
                                    voidElements,
                                    blockElements,
@@ -283,7 +286,8 @@ function htmlParser(html, handler) {
   while (node) {
     switch (node.nodeType) {
       case 1: // ELEMENT_NODE
-        handler.start(node.nodeName.toLowerCase(), attrToMap(node.attributes));
+        handler.start(node.nodeName.toLowerCase(), attrToMap(node.attributes),
+                      selfClosingElements[node.nodeName.toLowerCase()]);
         break;
       case 3: // TEXT NODE
         handler.chars(node.textContent);
@@ -295,18 +299,18 @@ function htmlParser(html, handler) {
     var nextNode;
     if (!(nextNode = node.firstChild)) {
       if (nextNode = node.nextSibling) {
-        if (node.nodeType == 1) {
+        if (node.nodeType == 1 && !selfClosingElements[node.nodeName.toLowerCase()]) {
           handler.end(node.nodeName.toLowerCase());
         }
       } else {
-        if (node.nodeType == 1) {
+        if (node.nodeType == 1 && !selfClosingElements[node.nodeName.toLowerCase()]) {
           handler.end(node.nodeName.toLowerCase());
         }
         while (nextNode == null) {
           node = node.parentNode;
           if (node === baseNode) break;
           nextNode = node.nextSibling;
-          if (node.nodeType == 1) {
+          if (node.nodeType == 1 && !selfClosingElements[node.nodeName.toLowerCase()]) {
             handler.end(node.nodeName.toLowerCase());
           }
         }
@@ -370,7 +374,7 @@ function encodeEntities(value) {
  * create an HTML/XML writer which writes to buffer
  * @param {Array} buf use buf.jain('') to get out sanitized html string
  * @returns {object} in the form of {
- *     start: function(tag, attrs) {},
+ *     start: function(tag, attrs, selfClose) {},
  *     end: function(tag) {},
  *     chars: function(text) {},
  *     comment: function(text) {}
@@ -380,15 +384,16 @@ function htmlSanitizeWriter(buf, uriValidator) {
   var ignore = false;
   var out = angular.bind(buf, buf.push);
   return {
-    start: function(tag, attrs) {
+    start: function(tag, attrs, selfClose) {
       tag = angular.lowercase(tag);
       if (!ignore && specialElements[tag]) {
         ignore = tag;
       }
       if (!ignore && validElements[tag] === true) {
         out('<');
         out(tag);
-        angular.forEach(attrs, function(value, key) {
+        angular.forEach(Object.keys(attrs).sort(), function(key) {
+          var value = attrs[key];
           var lkey=angular.lowercase(key);
           var isImage = (tag === 'img' && lkey === 'src') || (lkey === 'background');
           if (validAttrs[lkey] === true &&
@@ -400,7 +405,7 @@ function htmlSanitizeWriter(buf, uriValidator) {
             out('"');
           }
         });
-        out('>');
+        out(selfClose ? '/>' : '>');
       }
     },
     end: function(tag) {

test/ngSanitize/filter/linkySpec.js

@@ -50,8 +50,8 @@ describe('linky', function() {
 
   it('should handle target:', function() {
     expect(linky("http://example.com", "_blank")).
-      toEqual('<a target="_blank" href="http://example.com">http://example.com</a>');
+      toEqual('<a href="http://example.com" target="_blank">http://example.com</a>');
     expect(linky("http://example.com", "someNamedIFrame")).
-      toEqual('<a target="someNamedIFrame" href="http://example.com">http://example.com</a>');
+      toEqual('<a href="http://example.com" target="someNamedIFrame">http://example.com</a>');
   });
 });

test/ngSanitize/sanitizeSpec.js

@@ -112,7 +112,7 @@ describe('HTML', function() {
   // THESE TESTS ARE EXECUTED WITH COMPILED ANGULAR
   it('should echo html', function() {
     expectHTML('hello<b class="1\'23" align=\'""\'>world</b>.').
-       toEqual('hello<b class="1\'23" align="&#34;&#34;">world</b>.');
+       toEqual('hello<b align="&#34;&#34;" class="1\'23">world</b>.');
   });
 
   it('should remove script', function() {
@@ -165,7 +165,9 @@ describe('HTML', function() {
   });
 
   it('should handle self closed elements', function() {
-    expectHTML('a<hr/>c').toEqual('a<hr></hr>c');
+    expectHTML('a<hr/>c').toEqual('a<hr/>c');
+    expectHTML('<br/>').toEqual('<br/>');
+    expectHTML('<br>').toEqual('<br/>');
   });
 
   it('should handle namespace', function() {
@@ -192,7 +194,7 @@ describe('HTML', function() {
 
   it('should ignore back slash as escape', function() {
     expectHTML('<img alt="xxx\\" title="><script>....">').
-      toEqual('<img alt="xxx\\" title="&gt;&lt;script&gt;...."></img>');
+      toEqual('<img alt="xxx\\" title="&gt;&lt;script&gt;...."/>');
   });
 
   it('should ignore object attributes', function() {
@@ -227,8 +229,8 @@ describe('HTML', function() {
   });
 
   it('should accept SVG tags', function() {
-      expectHTML('<svg width="400px" height="150px" xmlns="http://www.w3.org/2000/svg"><circle cx="50" cy="50" r="40" stroke="black" stroke-width="3" fill="red"></svg>')
-        .toEqual('<svg width="400px" height="150px" xmlns="http://www.w3.org/2000/svg"><circle cx="50" cy="50" r="40" stroke="black" stroke-width="3" fill="red"></circle></svg>');
+    expectHTML('<svg width="400px" height="150px" xmlns="http://www.w3.org/2000/svg"><circle cx="50" cy="50" r="40" stroke="black" stroke-width="3" fill="red"></svg>')
+        .toEqual('<svg height="150px" width="400px" xmlns="http://www.w3.org/2000/svg"><circle cx="50" cy="50" fill="red" r="40" stroke="black" stroke-width="3"></circle></svg>');
   });
 
   it('should not ignore white-listed svg camelCased attributes', function() {
@@ -259,7 +261,7 @@ describe('HTML', function() {
 
     expectHTML('<svg><a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="?"><circle r="400"></circle>' +
     '<animate attributeName="xlink:href" begin="0" from="javascript:alert(1)" to="&" /></a></svg>')
-      .toEqual('<svg><a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="?"><circle r="400"></circle></a></svg>');
+      .toEqual('<svg><a xlink:href="?" xmlns:xlink="http://www.w3.org/1999/xlink"><circle r="400"></circle></a></svg>');
   });
 
   describe('htmlSanitizerWriter', function() {
@@ -415,11 +417,11 @@ describe('HTML', function() {
       inject(function() {
         $$sanitizeUri.andReturn('someUri');
 
-        expectHTML('<img src="someUri"/>').toEqual('<img src="someUri"></img>');
+        expectHTML('<img src="someUri"/>').toEqual('<img src="someUri"/>');
         expect($$sanitizeUri).toHaveBeenCalledWith('someUri', true);
 
         $$sanitizeUri.andReturn('unsafe:someUri');
-        expectHTML('<img src="someUri"/>').toEqual('<img></img>');
+        expectHTML('<img src="someUri"/>').toEqual('<img/>');
       });
     });