Difference from 1.19.1 to 1.20.1 in iframe and escaping behavior when cleaning html

[justone]

I noticed a parsing difference when it came to iframe child content between 1.19.1 to 1.20.1. I don't know which behavior is correct.

Given this html fragment:

<blockquote>
      <p>
        Some content
      <script>alert('script outside iframe, oh noes!');</script></p>
      <iframe>Content inside iframe<script>alert('script between iframe, oh noes!');</script></iframe>
    </blockquote>

When cleaned with String safeHtml = Jsoup.clean(unsafeHtml, Safelist.relaxed());, the following is the result:

1.19.1:

<blockquote>
 <p>Some content</p>Content inside iframe &lt;script&gt;alert('script between iframe, oh noes!');&lt;/script&gt;
</blockquote>

1.20.1:

<blockquote>
 <p>Some content</p>
</blockquote>

I used git bisect and the commit where the behavior was introduced is 3704342, where the pretty printer was rewritten.

Is the iframe removal the right behavior?
Is there a way to replicate the old behavior, with the child content getting escaped?

Thank you for any help or insight.

[justone]

I also noticed that if I use the following:

String safeHtml = Jsoup.clean(unsafeHtml, Safelist.relaxed().addTags("iframe"));

The iframe tag is included and the script tag is escaped in 1.19.1:

<blockquote>
 <p>Some content</p><iframe>Content inside iframe&lt;script&gt;alert('script between iframe, oh noes!');&lt;/script&gt;</iframe>
</blockquote>

But the 1.20.1, the script tag is not escaped:

<blockquote>
 <p>Some content</p>
 <iframe>Content inside iframe<script>alert('script between iframe, oh noes!');</script></iframe>
</blockquote>

[jhy]

Hi, thanks for the clear report.

In the revamped Printer & Tag implementations (the commit you linked), I fixed it such that any tag with Data content is inserted as a DataNode. That is, "iframe", "noembed", "noframes", "script", "style", "xmp". Previously only "script" and "style" were inserted as DataNodes (vs TextNodes).

The intention is that these elements do not contain text that should appear in the text() methods, but rather actual data (in the case of script and style) or markup that should effectively be ignored by current parsers / UAs. Hence, we place them into DataNodes.

The Cleaner's behavior is to drop the contents of DataNodes if their tag is not allowed. (V.s. TextNodes which are retained, and always escaped.)

So, I believe that the current behavior demonstrated here is correct.

For the avoidance of doubt, the example where you add iframe to the safe-list is not an XSS. Browsers and jsoup both parse the contents as data, so the <script>... is just that textual data; not an element that could be parsed and executed.

I have updated the HTML parser so that you can configure what text state known-tags like this are parsed as. So, you can now do something like this to get the old behavior if that's what's desired:

String input = "<iframe>content is <data></iframe>";

TagSet tags = TagSet.Html();
tags.valueOf("iframe", Parser.NamespaceHtml)
    .clear(Tag.Data)
    .set(Tag.RcData);

Document inDoc = Jsoup.parse(input, Parser.htmlParser().tagSet(tags));
Cleaner cleaner = new Cleaner(Safelist.relaxed());
String cleaned = cleaner.clean(inDoc).body().html();
assertEquals("content is &lt;data&gt;", cleaned);

In #2284 I have outlined plans to revamp the Cleaner. I think a nice option would be to make the action on finding a blocked tag configurable -- so you could Drop, Escape, etc if we can think of other options.

Cheers,
Jonathan

[justone]

Thank you for the thorough explanation and change to enable the older behavior. I tested it locally and can confirm that it works.

Thanks again.