kses removes valid attribute from xhtml elements
|Reported by:||dougal||Owned by:|
|Component:||Formatting||Keywords:||has-patch, tested, kses, xhtml, html|
There is an edge-case which can cause kses to discard the last attribute of an empty XHTML element, if the closing slash is not preceded by a space.
input = <img src='foo.jpg' bogus='disallowed attr' alt='my image'/>
output = <img src='foo.jpg'/>
expected = <img src='foo.jpg' alt='my image'/>
The problem is that kses assumes that the closing slash on an XHTML element will always be preceded by a space. While the space is recommended for backwards compatibility with HTML4, it is not strictly required.