From 6066911d9b34b9c2acea05df234ed6b3cbc83645 Mon Sep 17 00:00:00 2001
From: kedarchandrayan <kedarchandrayan@gmail.com>
Date: Wed, 21 Sep 2022 10:53:57 +0530
Subject: [PATCH] Upgrades `htmlparser2` to new major version `^8.0.0`.

---
 CHANGELOG.md | 4 ++++
 package.json | 2 +-
 test/test.js | 8 ++++----
 3 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9fae24b..e44d6cb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Changelog
 
+## Issue #565
+
+- Upgrades `htmlparser2` to new major version `^8.0.0`.
+
 ## 2.7.2 (2022-09-15)
 
 - Closing tags must agree with opening tags. This fixes [issue #549](https://github.com/apostrophecms/sanitize-html/issues/549), in which closing tags not associated with any permitted opening tag could be passed through. No known exploit exists, but it's better not to permit this. Thanks to 
diff --git a/package.json b/package.json
index 25b1d6f..bd0470d 100644
--- a/package.json
+++ b/package.json
@@ -25,7 +25,7 @@
   "dependencies": {
     "deepmerge": "^4.2.2",
     "escape-string-regexp": "^4.0.0",
-    "htmlparser2": "^6.0.0",
+    "htmlparser2": "^8.0.0",
     "is-plain-object": "^5.0.0",
     "parse-srcset": "^1.0.2",
     "postcss": "^8.3.11"
diff --git a/test/test.js b/test/test.js
index 283b2b5..8204d94 100644
--- a/test/test.js
+++ b/test/test.js
@@ -119,11 +119,11 @@ describe('sanitizeHtml', function() {
   it('should dump closing tags which do not have any opening tags.', function() {
     assert.equal(sanitizeHtml('<b><div/', {
       allowedTags: [ 'b' ]
-    }), '<b></b>');
+    }), '<b>/</b>');
 
     assert.equal(sanitizeHtml('<b><b<<div/', {
       allowedTags: [ 'b' ]
-    }), '<b></b>');
+    }), '<b>/</b>');
   });
   it('should tolerate not closed p tags', function() {
     assert.equal(sanitizeHtml('<div><p>inner text 1<p>inner text 2<p>inner text 3</div>'), '<div><p>inner text 1</p><p>inner text 2</p><p>inner text 3</p></div>');
@@ -152,11 +152,11 @@ describe('sanitizeHtml', function() {
     assert.equal(sanitizeHtml('<a href="java\0&#14;\t\r\n script:alert(\'foo\')">Hax</a>'), '<a>Hax</a>');
   });
   it('should dump character codes 1-32 even when escaped with padding rather than trailing ;', function() {
-    assert.equal(sanitizeHtml('<a href="java&#0000001script:alert(\'foo\')">Hax</a>'), '<a>Hax</a>');
+    assert.equal(sanitizeHtml('<a href="java&#0000001script:alert(\'foo\')">Hax</a>'), '<a href="java&amp;#0000001script:alert(\'foo\')">Hax</a>');
     // This one is weird, but the browser does not interpret it
     // as a scheme, so we're OK. That character is 65535, not null. I
     // think it's a limitation of the entities module
-    assert.equal(sanitizeHtml('<a href="java&#0000000script:alert(\'foo\')">Hax</a>'), '<a href="java�script:alert(\'foo\')">Hax</a>');
+    assert.equal(sanitizeHtml('<a href="java&#0000000script:alert(\'foo\')">Hax</a>'), '<a href="java&amp;#0000000script:alert(\'foo\')">Hax</a>');
   });
   it('should still like nice schemes', function() {
     assert.equal(sanitizeHtml('<a href="http://google.com/">Hi</a>'), '<a href="http://google.com/">Hi</a>');