Fix an edge case with br attribute sanitization

Since we're depending on lxml's cleaner this isn't a security issue, just unexpected.

Thanks Sean Gilligan for the report!

Author: matthiask

CHANGELOG.rst

@@ -5,6 +5,9 @@ Change log
 Next version
 ============
 
+- Fixed an edge case where ``br`` tag attributes weren't removed if the br tag
+  appears first.
+
 
 2.3 (2024-02-07)
 ================

html_sanitizer/sanitizer.py

@@ -337,7 +337,6 @@ def sanitize(self, html):
                     )
                 ):
                     nx.drop_tag()
-                    continue
 
             if not element.text:
                 # No text before first child and first child is a <br>: Drop it

html_sanitizer/tests.py

@@ -73,6 +73,7 @@ def test_01_sanitize(self):
             ("<a>  </a>", "<a> </a>"),
             # ...but breaks without any additional content are still removed
             ("<a><br />  </a>", "<a> </a>"),
+            ("<p>blab<br hello='world' />blub<p>", "<p>blab<br>blub</p>"),
         ]
 
         self.run_tests(entries)
@@ -104,7 +105,9 @@ def test_03_merge(self):
         self.run_tests(entries)
 
     def test_no_space_between_same_tags(self):
-        entries = [("<strong>Hel</strong><strong>lo</strong>", "<strong>Hello</strong>")]
+        entries = [
+            ("<strong>Hel</strong><strong>lo</strong>", "<strong>Hello</strong>")
+        ]
         self.run_tests(entries)
 
     def test_04_p_in_li(self):
@@ -642,3 +645,13 @@ def test_code_whitespace(self):
 """
 
         self.run_tests([(html, html)], sanitizer=sanitizer)
+
+    def test_br_attribute_sanitization(self):
+        """Attributes which aren't allowlisted are removed from br tags"""
+        self.run_tests(
+            [
+                ("<p><br hello=\"alert('world');\"/><br></p>", ""),
+                ('<p hello="world"></p>', ""),
+                ("<br hello=\"alert('world');\"/><br>", "<br>"),
+            ]
+        )