Extra <body> node and ignored <script> with hook uponSanitizeElement

[jfparadis]

Two issues with hook uponSanitizeElement:

• Calling sanitize causes one extra callback, aways with extra node.
  Example: <div><script>alert(0)</script></div>
  Hook called 4 times: BODY, DIV, SCRIPT, text

• When sanitizing string containing only <script> tag, there is no callback for script.
  Example: <script>alert(0)</script>
  Hook called 1 time: BODY

Please see this: JSFiddle.

[cure53]

Ah, that's the old problem with the browser moving SCRIPT, STYLE and others into the HEAD element when not prepended by any other element. This is causing trouble in many situations. Technically not our fault but I feel more and more we should fix this.

How do you feel about a FORCE_BODY configuration flag that simply makes sure that nothing goes into the HEAD? We could default it to false right now for 0.8.x and set it to true starting with 0.9.x.

[jfparadis]

Very interesting.

Question: if <script> gets moved to <head>, why uponSanitizeElement is not called with <head>, then with the <script>?

[cure53]

We use the doc.body as the platform to check and sanitize the markup :) That's why it simply disappears.

The idea is now to pre-fill the body with a nonsense element, then initialize the document, then remove the nonsense element again - all behind the suggested FORCE_BODY flag. Then your bug should disappear :)

[cure53]

Would the proposed fix work for you?

[jfparadis]

Yes, FORCE_BODY would work. There is another approach:

If I create a simple test.html with the following content:

<script src="hello.js"></script>

And if I load it in the browser and look at the DOM, I obtain:

<html>
    <head>
        <script src="hello.js"></script>
    </head>
    <body>
    </body>
</html>

Because the callback starts at doc.body, we get the current behavior (the head is ignored).

Now, if I create a simple test2.html with the following content:

<html>
    <head>
        <script src="hello.js"></script>
    </head>
    <body>
    </body>
</html>

I get the same behavior, the <head> is also ignored ( you can see the result on my updated JSFiddle, the head is also ignored).

An alternative approach would be to call doc.head followed by doc.body. The advantage would be to always process head markup and body markup, and to mimic more closely the browser behavior.

[cure53]

We thought about that initially but I think the changes would be too disruptive. I'll see that I get an implementation of FORCE_BODY to work asap.

[cure53]

@jfparadis Check out the latest commits in the master branch. This should eliminate the problem. tests are green as well.

[jfparadis]

A few notes:

1. This solution makes perfect sense: as you say in the description, the current behavior was counter-intuitive. This changes solves the normal case.

2. And if someone absolutely need to parse the whole document, this is covered by {WHOLE_DOCUMENT: true}.

3. I've updated the JSFiddle with the latest code, and it works as specified.

4. I the JSFiddle, when sending a complete document with the new option (third test), we don't get HTML, HEAD, or a duplicate BODY. That's what one should expect.

Well done!

[cure53]

Thanks, my pleasure :)