From 5f20fcc2f728a930444c2ba9252ec26b20587a80 Mon Sep 17 00:00:00 2001 From: Jonathan Hedley Date: Wed, 18 Oct 2023 13:08:38 +1100 Subject: [PATCH] Prevent noscript tags in Safelist --- CHANGES | 3 +++ src/main/java/org/jsoup/safety/Safelist.java | 2 ++ .../java/org/jsoup/safety/SafelistTest.java | 18 ++++++++++++++++-- 3 files changed, 21 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index d329d3e8ab..cd8bfe6a0d 100644 --- a/CHANGES +++ b/CHANGES @@ -69,6 +69,9 @@ Release 1.16.2 [PENDING] java.io.UncheckedIOException. If you are catching the former, modify your code to catch the latter instead. + * Change: blocked noscript tags from being added to Safelists, due to incompatibilities between parsers with and + without script-mode enabled. + Release 1.16.1 [29-Apr-2023] * Improvement: in Jsoup.connect(url), natively support URLs with Unicode characters in the path or query string, without having to be escaped by the caller. diff --git a/src/main/java/org/jsoup/safety/Safelist.java b/src/main/java/org/jsoup/safety/Safelist.java index 710c070e38..75e80b8901 100644 --- a/src/main/java/org/jsoup/safety/Safelist.java +++ b/src/main/java/org/jsoup/safety/Safelist.java @@ -248,6 +248,8 @@ public Safelist addTags(String... tags) { for (String tagName : tags) { Validate.notEmpty(tagName); + Validate.isFalse(tagName.equalsIgnoreCase("noscript"), + "noscript is unsupported in Safelists, due to incompatibilities between parsers with and without script-mode enabled"); tagNames.add(TagName.valueOf(tagName)); } return this; diff --git a/src/test/java/org/jsoup/safety/SafelistTest.java b/src/test/java/org/jsoup/safety/SafelistTest.java index 8b1c1ffd09..796ddc7225 100644 --- a/src/test/java/org/jsoup/safety/SafelistTest.java +++ b/src/test/java/org/jsoup/safety/SafelistTest.java @@ -1,13 +1,13 @@ package org.jsoup.safety; +import org.jsoup.helper.ValidationException; import org.jsoup.nodes.Attribute; import org.jsoup.nodes.Attributes; import org.jsoup.nodes.Element; import org.jsoup.parser.Tag; import org.junit.jupiter.api.Test; -import static org.junit.jupiter.api.Assertions.assertFalse; -import static org.junit.jupiter.api.Assertions.assertNotEquals; +import static org.junit.jupiter.api.Assertions.*; public class SafelistTest { private static final String TEST_TAG = "testTag"; @@ -61,5 +61,19 @@ public void testCopyConstructor_noSideEffectOnProtocols() { assertFalse(safelist2.isSafeAttribute(TEST_TAG, invalidElement, invalidAttribute)); } + @Test + void noscriptIsBlocked() { + boolean threw = false; + Safelist safelist = null; + try { + safelist = Safelist.none().addTags("NOSCRIPT"); + } catch (ValidationException validationException) { + threw = true; + assertTrue(validationException.getMessage().contains("unsupported")); + } + assertTrue(threw); + assertNull(safelist); + } + }