Form with <optgroup> incorrectly rewritten #358
Description
When using <optgroup> within a <select> element, the sanitized HTML is invalid and contains extra <select> tags.
The following HTML:
<form><select><optgroup label="mygroup"><option>My option</option></optgroup></select></form>would become:
<form><select><optgroup label="mygroup"><select><option>My option</option></select></optgroup></select></form>Note that without the <optgroup> tag, the sanitized HTML is correct.
Unit test to reproduce the issue (with version 20240325.1):
import org.junit.Test;
import org.owasp.html.HtmlPolicyBuilder;
import org.owasp.html.PolicyFactory;
import static org.junit.Assert.assertEquals;
public class OptgroupTest {
@Test
public void not_working() {
HtmlPolicyBuilder policyBuilder = new HtmlPolicyBuilder();
PolicyFactory factory = policyBuilder.allowElements("form", "select", "optgroup", "option").allowAttributes("label").globally().toFactory();
String html = "<form><select><optgroup label=\"mygroup\"><option>My option</option></optgroup></select></form>";
String result = factory.sanitize(html);
assertEquals(html, result); // this fails!
// Expected :<form><select><optgroup label="mygroup"><option>My option</option></optgroup></select></form>
// Actual :<form><select><optgroup label="mygroup"><select><option>My option</option></select></optgroup></select></form>
}
@Test
public void working() {
HtmlPolicyBuilder policyBuilder = new HtmlPolicyBuilder();
PolicyFactory factory = policyBuilder.allowElements("form", "select", "option").toFactory();
String html = "<form><select><option>My option</option></select></form>";
String result = factory.sanitize(html);
assertEquals(html, result);
}
}Is there anything missing when creating the PolicyFactory to properly support <optgroup>?
NB: Same problem seems to happen with <datalist> tags.