Don't write self-closing tag with empty attributes

[Gusted]

• Currently the code will write self-closing tags with empty attributes to the output, even when the element isn't allowed to have empty attributes.
• Move to break to one outer scope to fix it.

[grafana-dee]

Thanks, this is a good catch and clearly a long-time minor bug.

For the people from Snyk, etc it is not a security bug in that this resolves an issue that wouldn't have led to an XSS.

What this bug is... it's tiny, but some elements are meaningful in HTML without attributes, for example the <hr/> has no attributes and will draw a horizontal rule. But other elements are meaningless without attributes as they result in a no-op... and in those cases where sanitization would've removed all attributes, then the element should also be removed.

This bug meant that a policy that added an element via allowing an attribute... where the attribute was not actually in the input... then the element was still meaningless and should've been removed.

The bug produced a no-op... hence no risk. But still, a bug is a bug and this fix correctly aligns the output with the desired state, which is to remove empty elements that are meaningless without attributes.

Thanks @Gusted for the change.