Skip to content

Commit

Permalink
Prevent noscript tags in Safelist
Browse files Browse the repository at this point in the history
  • Loading branch information
jhy committed Oct 18, 2023
1 parent 4864af4 commit 5f20fcc
Show file tree
Hide file tree
Showing 3 changed files with 21 additions and 2 deletions.
3 changes: 3 additions & 0 deletions CHANGES
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,9 @@ Release 1.16.2 [PENDING]
java.io.UncheckedIOException. If you are catching the former, modify your code to catch the latter instead.
<https://github.com/jhy/jsoup/pull/1989>

* Change: blocked noscript tags from being added to Safelists, due to incompatibilities between parsers with and
without script-mode enabled.

Release 1.16.1 [29-Apr-2023]
* Improvement: in Jsoup.connect(url), natively support URLs with Unicode characters in the path or query string,
without having to be escaped by the caller.
Expand Down
2 changes: 2 additions & 0 deletions src/main/java/org/jsoup/safety/Safelist.java
Original file line number Diff line number Diff line change
Expand Up @@ -248,6 +248,8 @@ public Safelist addTags(String... tags) {

for (String tagName : tags) {
Validate.notEmpty(tagName);
Validate.isFalse(tagName.equalsIgnoreCase("noscript"),
"noscript is unsupported in Safelists, due to incompatibilities between parsers with and without script-mode enabled");
tagNames.add(TagName.valueOf(tagName));
}
return this;
Expand Down
18 changes: 16 additions & 2 deletions src/test/java/org/jsoup/safety/SafelistTest.java
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
package org.jsoup.safety;

import org.jsoup.helper.ValidationException;
import org.jsoup.nodes.Attribute;
import org.jsoup.nodes.Attributes;
import org.jsoup.nodes.Element;
import org.jsoup.parser.Tag;
import org.junit.jupiter.api.Test;

import static org.junit.jupiter.api.Assertions.assertFalse;
import static org.junit.jupiter.api.Assertions.assertNotEquals;
import static org.junit.jupiter.api.Assertions.*;

public class SafelistTest {
private static final String TEST_TAG = "testTag";
Expand Down Expand Up @@ -61,5 +61,19 @@ public void testCopyConstructor_noSideEffectOnProtocols() {
assertFalse(safelist2.isSafeAttribute(TEST_TAG, invalidElement, invalidAttribute));
}

@Test
void noscriptIsBlocked() {
boolean threw = false;
Safelist safelist = null;
try {
safelist = Safelist.none().addTags("NOSCRIPT");
} catch (ValidationException validationException) {
threw = true;
assertTrue(validationException.getMessage().contains("unsupported"));
}
assertTrue(threw);
assertNull(safelist);
}


}

0 comments on commit 5f20fcc

Please sign in to comment.