Elements within <noscript> are not hashed

[bigotilda]

Description

If your source HTML has a <noscript> element with e.g. an inline <style> child element, that style is not getting hashed and no hash corresponding to it can be found in the meta CSP tag in the output.

I imagine that styles within a <noscript> can and should be included when hashes are being generated.

I have looked into this and it is related to cheerio's load() function, which by default uses parse5, which acts as a javascript-enabled user agent, and so when parse5 parses the input HTML, it properly (from its perspective) does not parse the contents of a <noscript> (or more accurately it does parse it but returns the contents as plain text rather than DOM nodes).

Cheerio can be configured to use htmlparser2, and when we do that, it handles the <noscript> as desired and we get the children DOM elements (e.g. the <style>). However it seems that explicitly configuring cheerio to use htmlparser2 is done via an internal undocumented option: _useHtmlParser2: true which may not be safe for consumers such as this package to use.

You can also use cheerio's xmlMode: true option which also parses <noscript> as desired, but that changes the output HTML into an XML document and has all sorts of unwanted (most likely) side effects for the generated HTML.

References:
cheeriojs/cheerio#1105
inikulin/parse5#105
https://github.com/fb55/htmlparser2

What type of issue is this? (place an x in one of the [ ])

• bug
• enhancement (feature request)
• question
• documentation related
• testing related
• discussion

Requirements (place an x in each of the [ ])

• I've read and understood the Contributing guidelines and have done my best effort to follow them.
• I've read and agree to the Code of Conduct.
• I've searched for any related issues and avoided creating a duplicate issue.

---

Bug Report

Filling out the following details about bugs will help us solve your issue sooner.

Reproducible in:

slackhq/csp-html-webpack-plugin version: 4.0.0

node version: 10.19.0

OS version(s): macOS Catalina version 10.15.5

Steps to reproduce:

1. Have a <noscript> element with a simple inline <style> child element e.g. this index.ejs template

<!doctype html>
<html lang="en">
  <head> 
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <noscript>
      <style>
        .disabled-javascript {
          color: red;
        }
      </style>
    </noscript>
  </head>
  <body>
    <h1>Hello World</h1>
  </body>
</html>

2. Setup HtmlWebpack to use the above as its template
3. Setup csp-html-webpack-plugin as follows:

new CspHtmlWebpackPlugin({
      'base-uri': "'self'",
      'object-src': "'none'",
      'script-src': ["'self'"],
      'style-src': ["'self'"]
    }, {
      enabled: true,
      hashingMethod: 'sha256',
      hashEnabled: {
        'script-src': true,
        'style-src': true
      },
      nonceEnabled: {
        'script-src': false,
        'style-src': false
      }
    })

Expected result:

In the generated CSP meta tag, I should see a corresponding hash entry in the style-src directive

Actual result:

In the generated CSP meta tag, I only see 'self' in the style-src directive.

Attachments:

Logs, screenshots, screencast, sample project, funny gif, etc.

[terrynguyen255]

I'm facing the same problem

[AnujRNair]

Fixed in #75