Skip to content

Cleaner stopped removing script content #2320

New issue
New issue
Closed
Closed
Cleaner stopped removing script content#2320
Labels
fixedAn {bug|improvement} that has been {fixed|implemented}
Milestone
1.21.1
@eric-halvorson

Description

@eric-halvorson
eric-halvorson
opened on May 5, 2025

I have been using the Cleaner since v1.16.1 to sanitize SVG by removing script.
After upgrading from v1.19.1 to v1.20.1, the behavior has changed and the text of the script is no longer removed.

A simplified example would be:

String dirtyString = "<svg><script>alert(\"test\")</script></svg>";
Document dirty = Parser.parse(dirtyString, "");
Safelist safelist = new Safelist().addTags("svg");
Cleaner cleaner = new Cleaner(safelist);
Document clean = cleaner.clean(dirty);
Document.OutputSettings outputSettings = new Document.OutputSettings().syntax(Document.OutputSettings.Syntax.xml);
String cleanString = clean.outputSettings(outputSettings).body().html();

With all versions from v1.16.1 through v1.19.1, this results in <svg></svg> with all the script removed.
But with v1.20.1, it now results in <svg>alert("test")</svg>.

Metadata

Metadata

Assignees

No one assigned

    Labels

    fixedAn {bug|improvement} that has been {fixed|implemented}

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions