Fix DisallowedRawHtml bypass via newline/tab in tag names

Author: colinodell

src/Extension/DisallowedRawHtml/DisallowedRawHtmlRenderer.php

@@ -45,7 +45,7 @@ public function render(Node $node, ChildNodeRendererInterface $childRenderer): ?
             return $rendered;
         }
 
-        $regex = \sprintf('/<(\/?(?:%s)[ \/>])/i', \implode('|', \array_map('preg_quote', $tags)));
+        $regex = \sprintf('/<(\/?(?:%s)[\s\/>])/i', \implode('|', \array_map('preg_quote', $tags)));
 
         // Match these types of tags: <title> </title> <title x="sdf"> <title/> <title />
         return \preg_replace($regex, '&lt;$1', $rendered);

tests/unit/Extension/DisallowedRawHtml/DisallowedRawHtmlRendererTest.php

@@ -72,7 +72,7 @@ public static function dataProviderForTestWithDefaultSettings(): iterable
         yield ['<plaintext>', '&lt;plaintext>'];
 
         // Newline/whitespace bypass attempts (security fix)
-        yield ["<script   >", "&lt;script   >"];
+        yield ['<script   >', '&lt;script   >'];
         yield ["<script\n>", "&lt;script\n>"];
         yield ["<script\t>", "&lt;script\t>"];
         yield ["<script\r\n>", "&lt;script\r\n>"];
@@ -118,7 +118,7 @@ public static function dataProviderForTestWithCustomSettings(): iterable
         yield ['<strong />', '&lt;strong />'];
 
         // Newline bypass with custom config
-        yield ["<strong   >", "&lt;strong   >"];
+        yield ['<strong   >', '&lt;strong   >'];
         yield ["<strong\n>", "&lt;strong\n>"];
         yield ["<strong\t>", "&lt;strong\t>"];