From 6de5d2e8d23c4231423a5440b16540f55bc0df96 Mon Sep 17 00:00:00 2001
From: Michael Snoyman <michael@snoyman.com>
Date: Sun, 31 Oct 2010 23:06:11 +0200
Subject: [PATCH] Deal with non-closing tags

---
 Text/HTML/SanitizeXSS.hs | 5 ++++-
 test.hs                  | 4 ++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/Text/HTML/SanitizeXSS.hs b/Text/HTML/SanitizeXSS.hs
index 0ad3e0b..530e09d 100644
--- a/Text/HTML/SanitizeXSS.hs
+++ b/Text/HTML/SanitizeXSS.hs
@@ -21,7 +21,10 @@ sanitizeXSS = renderTagsOptions renderOptions {
     safeTags m [] =
         concatMap go $ Map.toList m
       where
-        go (name, i) = replicate i $ TagClose name
+        go (name, i)
+            | noClosing name = []
+            | otherwise = replicate i $ TagClose name
+        noClosing = flip elem ["br", "img"]
     safeTags m (t@(TagClose name):tags)
         | safeTagName name =
             case Map.lookup name m of
diff --git a/test.hs b/test.hs
index 840f59b..80d603e 100644
--- a/test.hs
+++ b/test.hs
@@ -1,8 +1,8 @@
 import Text.HTML.SanitizeXSS
 
 main = do
-  let test = " <a href='http://safe.com'>safe</a><a href='unsafe://hack.com'>anchor</a> <img src='evil://evil.com' /> <unsafe></foo> <bar /> <br></br> <b>Unbalanced</div>"
+  let test = " <a href='http://safe.com'>safe</a><a href='unsafe://hack.com'>anchor</a> <img src='evil://evil.com' /> <unsafe></foo> <bar /> <br></br> <b>Unbalanced</div><img src='http://safe.com'>"
   let actual = (sanitizeXSS test)
-  let expected = " <a href=\"http://safe.com\">safe</a><a>anchor</a> <img />   <br /> <b>Unbalanced</b>"
+  let expected = " <a href=\"http://safe.com\">safe</a><a>anchor</a> <img />   <br /> <b>Unbalanced<img src=\"http://safe.com\"></b>"
   putStrLn $ "testing: " ++ test
   putStrLn $ if actual == expected then "pass" else "failure\n" ++ "\nexpected:" ++ (show expected) ++ "\nactual:  " ++ (show actual)