fix: santize noscript contents

Previously, `noscript` was parsed as raw text. This however is not correct as `noscript` can contain child elements. We no updated the logic to parse noscript as an element which causes santization of child nodes.
angular · Sep 29, 2023 · 77f745f · 77f745f
1 parent 9eea7b4
commit 77f745f
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 11 deletions.
diff --git a/lib/HTMLParser.js b/lib/HTMLParser.js
@@ -2165,9 +2165,6 @@ function HTMLParser(address, fragmentContext, options) {
       case "plaintext":
         tokenizer = plaintext_state;
         break;
-      case "noscript":
-        if (scripting_enabled)
-          tokenizer = plaintext_state;
       }
     }
 
@@ -5933,13 +5930,6 @@ function HTMLParser(address, fragmentContext, options) {
         parseRawText(value,arg3);
         return;
 
-      case "noscript":
-        if (scripting_enabled) {
-          parseRawText(value,arg3);
-          return;
-        }
-        break;  // XXX Otherwise treat it as any other open tag?
-
       case "select":
         afereconstruct();
         insertHTMLElement(value,arg3);

diff --git a/test/domino.js b/test/domino.js
@@ -1492,3 +1492,9 @@ exports.supportsNonceAttribute = function() {
   h1.nonce = 'randomhaash';
   h1.outerHTML.should.equal('<style nonce="randomhaash">* {color: red}</style>');
 };
+
+exports.supportsHtmlElementsInNoScriptTag = function() {
+  const document = domino.createDocument('<body><noscript>For information <em>click</em> here.</noscript></body>');
+  const noscript = document.querySelector('noscript');
+  noscript.outerHTML.should.equal('<noscript>For information <em>click</em> here.</noscript>');
+};
diff --git a/test/xss.js b/test/xss.js
@@ -88,9 +88,17 @@ exports.escapeAngleBracketsInDivAttr = function() {
   var document = domino.createDocument(
     `<div>You don't have JS! Click<a href="#" title="Search for </div><script>alert(1)</script> without JS">here</a> to go to the no-js website.</div>`
   );
-  // Ensure that HTML entities are properly encoded inside <style>
   document.body.innerHTML.should.equal(
     `<div>You don't have JS! Click<a href="#" title="Search for &lt;/div&gt;&lt;script&gt;alert(1)&lt;/script&gt; without JS">here</a> to go to the no-js website.</div>`
   );
 };
 
+exports.escapeAngleBracketsInNoScriptAttr = function() {
+  var document = domino.createDocument(
+    `<div><noscript>You don't have JS! Click<a href="#" title="Search for </noscript><script>alert(1)</script> without JS">here</a> to go to the no-js website.</noscript></div>`
+  );
+  document.body.innerHTML.should.equal(
+    `<div><noscript>You don't have JS! Click<a href="#" title="Search for &lt;/noscript&gt;&lt;script&gt;alert(1)&lt;/script&gt; without JS">here</a> to go to the no-js website.</noscript></div>`
+  );
+};
+