Skip to content

Form with <optgroup> incorrectly rewritten #358

Closed
Closed
Form with <optgroup> incorrectly rewritten#358
@baptistegrimaud

Description

@baptistegrimaud
baptistegrimaud
opened on May 26, 2025

When using <optgroup> within a <select> element, the sanitized HTML is invalid and contains extra <select> tags.
The following HTML:

<form><select><optgroup label="mygroup"><option>My option</option></optgroup></select></form>

would become:

<form><select><optgroup label="mygroup"><select><option>My option</option></select></optgroup></select></form>

Note that without the <optgroup> tag, the sanitized HTML is correct.

Unit test to reproduce the issue (with version 20240325.1):

import org.junit.Test;
import org.owasp.html.HtmlPolicyBuilder;
import org.owasp.html.PolicyFactory;

import static org.junit.Assert.assertEquals;

public class OptgroupTest {

    @Test
    public void not_working() {
        HtmlPolicyBuilder policyBuilder = new HtmlPolicyBuilder();
        PolicyFactory factory = policyBuilder.allowElements("form", "select", "optgroup", "option").allowAttributes("label").globally().toFactory();
        String html = "<form><select><optgroup label=\"mygroup\"><option>My option</option></optgroup></select></form>";
        String result = factory.sanitize(html);
        assertEquals(html, result); // this fails!
//        Expected :<form><select><optgroup label="mygroup"><option>My option</option></optgroup></select></form>
//        Actual   :<form><select><optgroup label="mygroup"><select><option>My option</option></select></optgroup></select></form>
    }

    @Test
    public void working() {
        HtmlPolicyBuilder policyBuilder = new HtmlPolicyBuilder();
        PolicyFactory factory = policyBuilder.allowElements("form", "select", "option").toFactory();
        String html = "<form><select><option>My option</option></select></form>";
        String result = factory.sanitize(html);
        assertEquals(html, result);
    }
}

Is there anything missing when creating the PolicyFactory to properly support <optgroup>?

NB: Same problem seems to happen with <datalist> tags.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions