Scenario:
if you want to strip all insane tags but allow "a" and "img" tags, you would use this
$string = Sanitizer::removeHTMLtags( $string, null, array(), array( "a", "img" ) );
This leaves single "a" and "img" tags, but I noticed that the Sanitizer function does not work correctly for such string :
<a href='http://link-url'><img src='http://image-url'></a>
Because this a widely used construct I suggest to fix the removeHTMLtgas have it working for this case, too.
I also noticed that the function fails in the constructed case where the image tag is intentionally incorrectly written as a closed tag <img src='http://image-url' />
Version: 1.20.x
Severity: normal
See Also:
https://bugzilla.wikimedia.org/show_bug.cgi?id=46443