CSS and JavaScript embeds not detected if non-standard closing tags are used
Closed this issue · 0 comments
Bug Report
- Package(s): language-html
- Version(s):
v0.1.23,v0.1.24
Description
Some HTML parser are forgiving when it comes to closing tags and will accept a closing tags with attributes. As a result, source code may contain closing tags with attributes. If that happens on either </script> or </style>, the HtmlLanguagePlugin won't detect the script/stylesheet (resp.) as embeds (ref script, ref style)
This was discovered as part of: https://github.com/ericcornelissen/webmangler/security/code-scanning/9, https://github.com/ericcornelissen/webmangler/security/code-scanning/10 (all of which were closed as they're not security bugs).
Actual Behaviour
-
Have a HTML file with either a
<script>tag or<style>tag - or both - where the closing tag has an attribute. For example:<style> .cls-foo { display: block; } </style hello="world"> <script> var x = document.querySelectorAll(".cls-foo"); </script goodbye="cruel world">
-
Run WebMangler CLI (version
0.1.6) with WebMangler Core (version0.1.24) and the default mangler plugins & default language plugins (at the exact versions found in the WebMangler Corepackage.json). -
Observe that the embedded stylesheet and script aren't mangled. For the example above:
<style> .cls-foo { display: block; } </style hello="world"> <script> var x = document.querySelectorAll(".cls-foo"); </script goodbye="cruel world">
Expected Behaviour
The mangled HTML looks something like:
<style>
.a {
display: block;
}
</style hello="world">
<script>
var x = document.querySelectorAll(".a");
</script goodbye="cruel world">