feat: Write self-closing tags with a />

Adds tests for self-closing tags both for correct writing and for correct
sanitization, i.e. stripping attributes on them.

inline_test.go

@@ -204,16 +204,13 @@ func TestRawHtmlTag(t *testing.T) {
 
 		// Additonal token types: SelfClosing, Comment, DocType.
 		"<br/>",
-		"<p><br></p>\n",
+		"<p><br/></p>\n",
 
 		"<!-- Comment -->",
 		"<!-- Comment -->\n",
 
 		"<!DOCTYPE test>",
 		"<p>&lt;!DOCTYPE test&gt;</p>\n",
-
-		"<hr>",
-		"<hr>\n",
 	}
 	doTestsInlineParam(t, tests, 0, HTML_SKIP_STYLE|HTML_SANITIZE_OUTPUT)
 }
@@ -229,6 +226,21 @@ func TestQuoteEscaping(t *testing.T) {
 	doTestsInlineParam(t, tests, 0, HTML_SKIP_STYLE|HTML_SANITIZE_OUTPUT)
 }
 
+func TestSanitizeSelfClosingTag(t *testing.T) {
+	tests := []string{
+		"<hr>\n",
+		"<hr>\n",
+
+		"<hr/>\n",
+		"<hr/>\n",
+
+		// Make sure that evil attributes are stripped for self closing tags.
+		"<hr onclick=\"evil()\"/>\n",
+		"<hr/>\n",
+	}
+	doTestsInlineParam(t, tests, 0, HTML_SKIP_STYLE|HTML_SANITIZE_OUTPUT)
+}
+
 func TestEmphasis(t *testing.T) {
 	var tests = []string{
 		"nothing inline\n",

sanitize.go

@@ -103,7 +103,11 @@ func sanitizeHtmlSafe(input []byte) []byte {
 						wr.WriteByte('"')
 					}
 				}
-				wr.WriteString(">")
+				if t == html.SelfClosingTagToken {
+					wr.WriteString("/>")
+				} else {
+					wr.WriteString(">")
+				}
 			} else {
 				wr.WriteString(html.EscapeString(string(tokenizer.Raw())))
 			}