Skip to content

Commit

Permalink
fix bug 1615315
Browse files Browse the repository at this point in the history
  • Loading branch information
Greg Guthe authored and g-k committed Feb 19, 2020
1 parent 2f210e0 commit 996cde7
Show file tree
Hide file tree
Showing 2 changed files with 34 additions and 1 deletion.
7 changes: 6 additions & 1 deletion bleach/html5lib_shim.py
Original file line number Diff line number Diff line change
Expand Up @@ -376,7 +376,12 @@ def __init__(self, tags, strip, consume_entities, **kwargs):
self.consume_entities = consume_entities
super(BleachHTMLParser, self).__init__(**kwargs)

def _parse(self, stream, innerHTML=False, container='div', scripting=False, **kwargs):
def _parse(self, stream, innerHTML=False, container='div', scripting=True, **kwargs):
# set scripting=True to parse <noscript> as though JS is enabled to
# match the expected context in browsers
#
# https://html.spec.whatwg.org/multipage/scripting.html#the-noscript-element
#
# Override HTMLParser so we can swap out the tokenizer for our own.
self.innerHTMLMode = innerHTML
self.container = container
Expand Down
28 changes: 28 additions & 0 deletions tests/test_clean.py
Original file line number Diff line number Diff line change
Expand Up @@ -769,6 +769,34 @@ def test_nonexistent_namespace():
assert clean('<d {c}>') == '&lt;d {c}&gt;'


# tags that get content passed through (i.e. parsed with parseRCDataRawtext)
_raw_tags = [
"title",
"textarea",
"script",
"style",
"noembed",
"noframes",
"iframe",
"xmp",
]

@pytest.mark.parametrize(
"raw_tag, data, expected",
[
(
raw_tag,
"<noscript><%s></noscript><img src=x onerror=alert(1) />" % raw_tag,
"<noscript><%s></noscript>&lt;img src=x onerror=alert(1) /&gt;" % raw_tag,
)
for raw_tag in _raw_tags
],
)
def test_noscript_rawtag_(raw_tag, data, expected):
# refs: bug 1615315 / GHSA-q65m-pv3f-wr5r
assert clean(data, tags=["noscript", raw_tag]) == expected


def get_ids_and_tests():
"""Retrieves regression tests from data/ directory
Expand Down

0 comments on commit 996cde7

Please sign in to comment.