Since 1.17.1 CDATA being added around other CDATA in XHTML documents

[rgevaerd]

This test below using XHTML passes on 1.16.2 and fails on 1.17.1 because it adds another CDATA, generating something like: ...<script><![CDATA[<![CDATA[...]]>]]></script> and such code causes a javascript error on a browser due to the duplicated CDATA.

Document doc = Jsoup
.parse("<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\"><html><head></head><body><script><![CDATA[console.log('ok');]]></script></body></html>");
doc.outputSettings().prettyPrint(false).syntax(Syntax.xml);
assertEquals(
"<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\"><html><head></head><body><script><![CDATA[console.log('ok');]]></script></body></html>",
doc.outerHtml());

I suspect this problem was introduced by #1720

Please note that adding CDATA only if the text node doesn't start with <![CDATA[ will not be enough to fix this, because the <![CDATA[ expression can be in the middle of the text node. A text node can even have multiple CDATA nodes. But a CDATA node cannot have another CDATA node in it.

[jhy]

A text node can even have multiple CDATA nodes. But a CDATA node cannot have another CDATA node in it.

I feel this is the crux of the issue. Logically there are 3 seperate node types in play - a TextNode, a DataNode, and a CDataNode. Each are leaf nodes -- logically a TextNode (or DataNode) could not contain a CDataNode. Either the parser parses each individually (so perhaps if this were in a <p> element, it might be TextNode, CData, TextNode, Cdata).

In a HTML parse, the contents of a <script> are tokenized in the Script Data State. There is no concept of a CData node. Only DataNodes or potentially HTML comments.

And if I run your original HTML in Chrome, I actually get a Javascript syntax error:

Uncaught SyntaxError: Unexpected token '<' (at script-data-input.html:1:155)

As it's also not tokenising the <![CDATA[]]> as anything special - just a data literal, which then blows up in the Javascript parser.

Back in the olden days I recall there was special handling in the script flow that would parse the CData section specifically (as there is for other markup types - CData section).

Have you got an example URL with script data like this (with Cdata) that a browser executes? I would like to inspect to see if something else is supposed to kick it into XML parse mode.

Otherwise, I'm not sure how to appropriately handle the situation.

[rgevaerd]

Hi @jhy,
The Java test code I made I focused on reproducing the scenario in the jsoup and showing the CDATA being added around the other one, and actually used a sample HTML in that test code that results in script error if rendered in a browser. Sorry about that.

Here is an example of a full XHTML using CDATA properly working on browsers:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html><head></head><body>
<script>//<![CDATA[[
	console.log('script sucessfully executed even with a special character ampersand &');
//]]></script>
</body></html>

The rationale about this style of CDATA usage is that when using XHTML, for the document to be both compatible with HTML and XML parsers it is good practice to use a commented CDATA on the <script>, as it is common for scripts to have special characters that would require escaping in XML but would not be escaped in HTML. This way those special characters does not need to be escaped and become compatible in both XML (that will take CDATA into account) and HTML (that does not take CDATA into account but will just ignore it as it is commented). As a reference of this I present you the Appendix A of XHTML media type document that describes compatibility guidelines ("This appendix summarizes design guidelines for authors who wish their XHTML documents to render on both XHTML-aware and modern HTML user agents"). The item A.4 of this appendix describes this style of CDATA usage to obtain such compatibility with embedded script and style tags. Here is a link for this item: https://www.w3.org/TR/2009/NOTE-xhtml-media-types-20090116/#C_4

With the changes made in 1.17.1, the use of jsoup to process XHTML (using jsoup to make some modifications on the XHTML for example) and then using the resulting source-code read from jsoup now generates a XHTML that fails as both XML and HTML due to that added CDATA in the script element. Until jsoup 1.16.2 I could do this without any problem.

[jhy]

Thanks, got it. So in context the browser is not parsing the CData as anything special and just a data literal, but the Javascript parser drops it as the comment.

Not sure the best approach here.

How are you presenting the content after your trip through jsoup? As HTML or XML?

I'm thinking that if you are presenting it as HTML you are not going to want a CData directly after the <script> tag, regardless of if the content within has a CData. You want it preserved in the form of the JS comment.

Maybe the concept of #1720 needs to change to do a deeper introspection and add / preserve a comment node. But then it's moving away from the DataNode just changing its escape manner. And it won't work directly for e.g. <style> tags.

Maybe there's another output mode required which is XHTML. But I don't really think that's a good path and think in most cases folks should move away from that. But perhaps that's the implicit goal here.

Maybe to help me understand better and weave this path - why are you setting the output syntax to XML? It's not about parsing with an XML parser, right?

[rgevaerd]

How are you presenting the content after your trip through jsoup? As HTML or XML?

In the end the content is presented on the browser as HTML, but as a XHTML due to the doctype. As its doctype specifies it as XHTML, it is required to follow XHTML specifications so it also passes some code validations, just being able to be rendered by modern browsers while not following the specifications would not be enough for some clients that are stricter in their validations.

Maybe to help me understand better and weave this path - why are you setting the output syntax to XML? It's not about parsing with an XML parser, right?

I set the output syntax to XML so the generated code is following the XHTML specification. XHTML requires the code to be XML compatible. Although I am not parsing it with a XML parser myself, the specification requires it to be compatible with it.
For example, while in HTML you may have unclosed tags like <meta ...> and <br>, in XHTML they must be properly closed, for example as <br/> and <meta ... />. Using output syntax HTML, he was for example generating meta and br tags unclosed.
Modern browsers will likely accept both as they are quite lenient, but in my case I am required to modify something in a a valid XHTML code expecting to generate a valid XHTML code as a result. If the result is validated by a tool such as https://validator.w3.org it is expected to pass

I also have scenario of both type of inputs, XHTML and HTML5. So I basically use jsoup to parse the input no matter which of both types it is, and then after processing, to generate the output, if the input was XHTML I use Syntax.xml, and if the input was HTML5 I use Syntax.html.

[jhy]

OK so that kind of connects with my thought that a OutputSyntax type of XHTML would make sense in this context. It's neither HTML nor XML. Perhaps a different question would be why have a goal of producing XHTML? As it's been dead since 2005 ~ 2007 at least. (Per your edit, makes sense; not producing new XHTML but trying to be light touch on existing older styles, I assume.)

Without introducing a new mode the best I can think of is to have the DataNode see if it's in a <script>, and if the contents don't start with something like //<!CDATA[, add that. Effectively introducing the polyglot escape if it's not already there.

@maxfortun could you take a look at this thread? Wondering what context you're using the output and why it doesn't need the //<!CDATA[ polyglot. Perhaps you're serving the content as XML and browsers are invoking their XML parser? I still feel I'm missing something.

[rgevaerd]

not producing new XHTML but trying to be light touch on existing older style

Yes, new code now uses HTML5 not XHTML. But to keep compatibility with some older code base that uses XHTML we still support it.

Without introducing a new mode the best I can think of is to have the DataNode see if it's in a <script>, and if the contents don't start with something like //<!CDATA[, add that. Effectively introducing the polygot escape if it's not already there.

Would it be possible for a DataNode that was not modified to just keep its text as is? Like if the decision to introduce a CDATA in it would only be needed if it is modified.

[maxfortun]

CDATA in CDATA... What an interesting oversight on my part. If I recall correctly at the time I used this library to convert Google web stories in AMP format, which is xhtml into an xml document for further XSL transformations, and html entities were not being converted properly into their xml equivalents. Instead of escaping the individual characters I just wrapped the whole section in CDATA, and now I see that character conversion is probably a more appropriate way to go...

[maxfortun]

If this is any helpful, this is my use-case:

Document document = Jsoup.parse(ampXhtml, "", Parser.xmlParser());
document.outputSettings().syntax(Document.OutputSettings.Syntax.xml).escapeMode(Entities.EscapeMode.xhtml);
String ampXml = document.toString();

[rgevaerd]

xhtml into an xml document for further XSL transformations

I suspect that @maxfortun 's use case, as it uses the output as XML, it would work if the input does not already contain CDATA. But if it did, it would break as it would add another CDATA around the existent one.
And if the output was used as HTML rendered in a modern browser, it would break even if it did not already contain CDATA as it would be a syntax error on javascript the uncommented CDATA.

[jhy]

Thanks @rgevaerd and @maxfortun for the discussion - I've fixed this now. It would be great if you could review and test (with a snapshot version) and let me know if any issues.

[rgevaerd]

Thanks @rgevaerd and @maxfortun for the discussion - I've fixed this now. It would be great if you could review and test (with a snapshot version) and let me know if any issues.

@jhy reviewing the code seems good to me. I could not test it, as I tried to get the snapshot from https://jsoup.org/packages/jsoup-1.17.2-SNAPSHOT.jar but it seems to be an old snapshot. Don't know where to get it updated.

[jhy]

Thanks -- there is no currently published snapshot but you can build one manually quite simply. See "Building from Source" on the download page - the mvn install will set up the snapshot.

[rgevaerd]

@jhy I tested from master and it worked fine. 👍