Prevent noscript tags in Safelist

jhy · Oct 18, 2023 · 5f20fcc · 5f20fcc
1 parent 4864af4
commit 5f20fcc
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 2 deletions.
diff --git a/CHANGES b/CHANGES
@@ -69,6 +69,9 @@ Release 1.16.2 [PENDING]
     java.io.UncheckedIOException. If you are catching the former, modify your code to catch the latter instead.
     <https://github.com/jhy/jsoup/pull/1989>
 
+  * Change: blocked noscript tags from being added to Safelists, due to incompatibilities between parsers with and
+    without script-mode enabled.
+
 Release 1.16.1 [29-Apr-2023]
   * Improvement: in Jsoup.connect(url), natively support URLs with Unicode characters in the path or query string,
     without having to be escaped by the caller.

diff --git a/src/main/java/org/jsoup/safety/Safelist.java b/src/main/java/org/jsoup/safety/Safelist.java
@@ -248,6 +248,8 @@ public Safelist addTags(String... tags) {
 
         for (String tagName : tags) {
             Validate.notEmpty(tagName);
+            Validate.isFalse(tagName.equalsIgnoreCase("noscript"),
+                "noscript is unsupported in Safelists, due to incompatibilities between parsers with and without script-mode enabled");
             tagNames.add(TagName.valueOf(tagName));
         }
         return this;

diff --git a/src/test/java/org/jsoup/safety/SafelistTest.java b/src/test/java/org/jsoup/safety/SafelistTest.java
@@ -1,13 +1,13 @@
 package org.jsoup.safety;
 
+import org.jsoup.helper.ValidationException;
 import org.jsoup.nodes.Attribute;
 import org.jsoup.nodes.Attributes;
 import org.jsoup.nodes.Element;
 import org.jsoup.parser.Tag;
 import org.junit.jupiter.api.Test;
 
-import static org.junit.jupiter.api.Assertions.assertFalse;
-import static org.junit.jupiter.api.Assertions.assertNotEquals;
+import static org.junit.jupiter.api.Assertions.*;
 
 public class SafelistTest {
     private static final String TEST_TAG = "testTag";
@@ -61,5 +61,19 @@ public void testCopyConstructor_noSideEffectOnProtocols() {
         assertFalse(safelist2.isSafeAttribute(TEST_TAG, invalidElement, invalidAttribute));
     }
 
+    @Test
+    void noscriptIsBlocked() {
+        boolean threw = false;
+        Safelist safelist = null;
+        try {
+            safelist = Safelist.none().addTags("NOSCRIPT");
+        } catch (ValidationException validationException) {
+            threw = true;
+            assertTrue(validationException.getMessage().contains("unsupported"));
+        }
+        assertTrue(threw);
+        assertNull(safelist);
+    }
+
 
 }