HTML Parsing Fixes (#75)

AnujRNair · web-flow · commit c618ffdc2ee4 · 2020-12-22T18:41:07.000-08:00
* Updating deps to their latest versions

* Adding test to ensure that html entities arent reencoded after csp is generated

* Moving memory-fs to a defined as a dev dependency

* Ensuring style tags wrapped in noscript tags also have a hash generated for them

* Properly honoring xhtml mode when set on the html-webpack-plugin instance
diff --git a/.eslintrc.js b/.eslintrc.js
@@ -7,6 +7,10 @@ module.exports = {
   },
   rules: {
     'prettier/prettier': ['error', { singleQuote: true }],
+    'import/no-extraneous-dependencies': [
+      'error',
+      { devDependencies: ['test-utils/**/*', '**/*.jest.js'] },
+    ],
   },
   globals: {
     document: true,
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -29,9 +29,8 @@
   "author": "Anuj Nair",
   "license": "MIT",
   "dependencies": {
-    "cheerio": "^1.0.0-rc.3",
-    "lodash": "^4.17.20",
-    "memory-fs": "^0.5.0"
+    "cheerio": "^1.0.0-rc.5",
+    "lodash": "^4.17.20"
   },
   "peerDependencies": {
     "webpack": "^4 || ^5",
@@ -40,13 +39,14 @@
   "devDependencies": {
     "babel-jest": "^26.6.3",
     "codecov": "^3.8.1",
-    "eslint": "^7.15.0",
+    "eslint": "^7.16.0",
     "eslint-config-airbnb-base": "^14.2.1",
-    "eslint-config-prettier": "^7.0.0",
+    "eslint-config-prettier": "^7.1.0",
     "eslint-plugin-import": "^2.22.1",
     "eslint-plugin-prettier": "^3.3.0",
     "html-webpack-plugin": "^5.0.0-alpha.15",
     "jest": "^26.6.3",
+    "memory-fs": "^0.5.0",
     "prettier": "^2.2.1",
     "webpack": "^5.10.1"
   }
diff --git a/plugin.jest.js b/plugin.jest.js
@@ -939,4 +939,95 @@ describe('CspHtmlWebpackPlugin', () => {
       });
     });
   });
+
+  describe('HTML parsing', () => {
+    it("doesn't encode escaped HTML entities", (done) => {
+      const config = createWebpackConfig([
+        new HtmlWebpackPlugin({
+          filename: path.join(WEBPACK_OUTPUT_DIR, 'index.html'),
+          template: path.join(
+            __dirname,
+            'test-utils',
+            'fixtures',
+            'with-escaped-html.html'
+          ),
+        }),
+        new CspHtmlWebpackPlugin(),
+      ]);
+
+      webpackCompile(config, (_, selectors) => {
+        const $ = selectors['index.html'];
+        expect($('body').html().trim()).toEqual(
+          '&lt;h1&gt;Escaped Content&lt;h1&gt;'
+        );
+        done();
+      });
+    });
+
+    it('generates a hash for style tags wrapped in noscript tags', (done) => {
+      const config = createWebpackConfig([
+        new HtmlWebpackPlugin({
+          filename: path.join(WEBPACK_OUTPUT_DIR, 'index.html'),
+          template: path.join(
+            __dirname,
+            'test-utils',
+            'fixtures',
+            'with-noscript-tags.html'
+          ),
+        }),
+        new CspHtmlWebpackPlugin(),
+      ]);
+
+      webpackCompile(config, (csps) => {
+        const expected =
+          "base-uri 'self';" +
+          " object-src 'none';" +
+          " script-src 'unsafe-inline' 'self' 'unsafe-eval' 'nonce-mockedbase64string-1';" +
+          " style-src 'unsafe-inline' 'self' 'unsafe-eval' 'sha256-JUH8Xh1Os2tA1KU3Lfxn5uZXj2Q/a/i0UVMzpWO4uOU='";
+
+        expect(csps['index.html']).toEqual(expected);
+
+        done();
+      });
+    });
+
+    it('honors xhtml mode if set on the html-webpack-plugin instance', (done) => {
+      const config = createWebpackConfig([
+        new HtmlWebpackPlugin({
+          filename: path.join(WEBPACK_OUTPUT_DIR, 'index.html'),
+          template: path.join(
+            __dirname,
+            'test-utils',
+            'fixtures',
+            'with-xhtml.html'
+          ),
+          xhtml: true,
+        }),
+        new CspHtmlWebpackPlugin(),
+      ]);
+
+      webpackCompile(config, (csps, selectors, fileSystem) => {
+        const xhtmlContents = fileSystem
+          .readFileSync(path.join(WEBPACK_OUTPUT_DIR, 'index.html'), 'utf8')
+          .toString();
+
+        // correct doctype
+        expect(xhtmlContents).toContain(
+          '<!DOCTYPE composition PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">'
+        );
+
+        // self closing tag
+        expect(xhtmlContents).toContain(
+          '<meta name="author" content="Slack"/>'
+        );
+
+        // csp has been added in
+        expect(xhtmlContents).toContain(
+          `<meta http-equiv="Content-Security-Policy" content="base-uri 'self'; object-src 'none'; script-src 'unsafe-inline' 'self' 'unsafe-eval' 'nonce-mockedbase64string-1'; style-src 'unsafe-inline' 'self' 'unsafe-eval'"/>`
+        );
+
+        done();
+      });
+    });
+  });
 });
diff --git a/plugin.js b/plugin.js
@@ -41,7 +41,9 @@ const defaultProcessFn = (builtPolicy, htmlPluginData, $) => {
   metaTag.attr('content', builtPolicy);
 
   // eslint-disable-next-line no-param-reassign
-  htmlPluginData.html = $.html();
+  htmlPluginData.html = get(htmlPluginData, 'plugin.options.xhtml', false)
+    ? $.xml()
+    : $.html();
 };
 
 const defaultPolicy = {
@@ -312,6 +314,8 @@ class CspHtmlWebpackPlugin {
   processCsp(htmlPluginData, compileCb) {
     const $ = cheerio.load(htmlPluginData.html, {
       decodeEntities: false,
+      _useHtmlParser2: true,
+      xmlMode: get(htmlPluginData, 'plugin.options.xhtml', false),
     });
 
     // if not enabled, remove the empty tag
diff --git a/test-utils/fixtures/with-escaped-html.html b/test-utils/fixtures/with-escaped-html.html
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html lang="en-US">
+  <head>
+    <meta name="author" content="Slack" />
+    <meta http-equiv="Content-Security-Policy" />
+    <title>Slack CSP HTML Webpack Plugin Tests</title>
+  </head>
+  <body>
+    &lt;h1&gt;Escaped Content&lt;h1&gt;
+  </body>
+</html>
diff --git a/test-utils/fixtures/with-noscript-tags.html b/test-utils/fixtures/with-noscript-tags.html
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html lang="en-US">
+<head>
+    <meta name="author" content="Slack" />
+    <meta http-equiv="Content-Security-Policy" />
+    <title>Slack CSP HTML Webpack Plugin Tests</title>
+    <noscript>
+      <style>
+        body {
+          background-color: red;
+        }
+      </style>
+    </noscript>
+</head>
+<body>
+Body
+</body>
+</html>
diff --git a/test-utils/fixtures/with-xhtml.html b/test-utils/fixtures/with-xhtml.html
@@ -0,0 +1,11 @@
+<!DOCTYPE composition PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html lang="en-US">
+  <head>
+    <meta name="author" content="Slack" />
+    <meta http-equiv="Content-Security-Policy" content="" />
+    <title>Slack CSP HTML Webpack Plugin Tests</title>
+  </head>
+  <body>
+    Body
+  </body>
+</html>
