Don't escape contents of script tags

MaddyGuthridge · MaddyGuthridge · commit e377eabfb71c · 2024-03-04T17:18:55.000+11:00
diff --git a/meta/generate_tag_defs.py b/meta/generate_tag_defs.py
@@ -12,6 +12,11 @@
 
 TEMPLATES_FOLDER = Path('./meta/templates')
 
+NO_ESCAPE_CHILDREN = """
+    def _escape_children(self) -> bool:
+        return False
+"""
+
 
 def get_template_class(name: str):
     try:
@@ -86,6 +91,11 @@ def generate_tag_class(output: TextIO, tag: TagInfo):
         .replace("{default_attrs}", default_attrs)
 
     print(text, file=output)
+
+    # And add the no escape children function if needed
+    if not tag.escape_children:
+        print(NO_ESCAPE_CHILDREN, file=output)
+
     # And a nice trailing newline to make flake8 happy
     print(file=output)
 
diff --git a/meta/scrape_tags.py b/meta/scrape_tags.py
@@ -133,6 +133,9 @@ class TagsYmlItem(TypedDict):
     rename: NotRequired[str]
     """Value to rename the class to (to avoid bad keyword usage)"""
 
+    escape_children: NotRequired[bool]
+    """Whether to escape the contents of the tag (default True)"""
+
 
 TagsYaml = dict[str, TagsYmlItem]
 """Type alias for type of tags.yml file"""
@@ -191,6 +194,11 @@ class TagInfo:
     Link to full documentation on MDN
     """
 
+    escape_children: bool
+    """
+    Whether to escape child elements for the tag
+    """
+
     attributes: list[Attr]
     """
     List of attributes and their documentation.
@@ -431,6 +439,16 @@ def get_tag_skip(tags: TagsYaml, tag_name: str) -> bool:
     return tag.get('skip', False)
 
 
+def get_tag_escape_children(tags: TagsYaml, tag_name: str) -> bool:
+    """
+    Return whether to skip this tag
+    """
+    if tag_name not in tags:
+        return True
+    tag = tags[tag_name]
+    return tag.get('escape_children', True)
+
+
 def make_mdn_link(tag: str) -> str:
     """Generate an MDN docs link for the given tag"""
     return f"{MDN_ELEMENT_PAGE}/{tag}"
@@ -455,6 +473,7 @@ def elements_to_element_structs(
             description=description,
             base=get_tag_base_class(tag_attrs, name),
             mdn_link=make_mdn_link(name),
+            escape_children=get_tag_escape_children(tag_attrs, name),
             attributes=attr_entries_to_object(tag_attrs, name),
         ))
 
diff --git a/meta/tags.yml b/meta/tags.yml
@@ -32,6 +32,7 @@ a:
       type: "Union[str, Literal['_self', '_blank', '_parent', '_top'], None]"
 
 script:
+  escape_children: false
   attributes:
     type:
       doc: Type of script to use
diff --git a/pyhtml/__tag_base.py b/pyhtml/__tag_base.py
@@ -74,6 +74,17 @@ def _get_default_attributes(
         """
         return {}
 
+    def _escape_children(self) -> bool:
+        """
+        Returns whether the contents of the element should be escaped, or
+        rendered plainly.
+
+        By default, all string content should be escaped to prevent security
+        vulnerabilities such as XSS, but this is disabled for certain tags such
+        as <script>.
+        """
+        return True
+
     def _render(self) -> list[str]:
         """
         Renders tag and its children to a list of strings where each string is
@@ -97,7 +108,9 @@ def _render(self) -> list[str]:
         else:
             out = [opening]
             # Children
-            out.extend(util.render_children(self.children))
+            out.extend(
+                util.render_children(self.children, self._escape_children())
+            )
             # Closing tag
             out.append(f"</{self._get_tag_name()}>")
 
diff --git a/pyhtml/__tags/generated.py b/pyhtml/__tags/generated.py
@@ -4119,6 +4119,10 @@ def _get_default_attributes(self, given: dict[str, AttributeType]) -> dict[str,
         return {'type': 'text/javascript'}
 
 
+    def _escape_children(self) -> bool:
+        return False
+
+
 class del_(Tag):
     """
     Represents a range of text that has been deleted from a document. This can be used when rendering "track changes" or source code diff information, for example. The `<ins>` element can be used for the opposite purpose: to indicate text that has been added to the document.
diff --git a/pyhtml/__util.py b/pyhtml/__util.py
@@ -96,7 +96,10 @@ def filter_attributes(attributes: dict[str, Any]) -> dict[str, Any]:
     }
 
 
-def render_inline_element(ele: ChildElementType) -> list[str]:
+def render_inline_element(
+    ele: ChildElementType,
+    escape_strings: bool,
+) -> list[str]:
     """
     Render an element inline
     """
@@ -107,18 +110,24 @@ def render_inline_element(ele: ChildElementType) -> list[str]:
         return ele()._render()
     else:
         # Remove newlines from strings when inline rendering
-        return [escape_string(str(ele))]
+        if escape_strings:
+            return [escape_string(str(ele))]
+        else:
+            return [str(ele)]
 
 
-def render_children(children: list[ChildElementType]) -> list[str]:
+def render_children(
+    children: list[ChildElementType],
+    escape_strings: bool,
+) -> list[str]:
     """
     Render child elements of tags.
 
     Elements are placed in the same string
     """
     rendered = []
     for ele in children:
-        rendered.extend(render_inline_element(ele))
+        rendered.extend(render_inline_element(ele, escape_strings))
     return increase_indent(rendered, 2)
 
 
diff --git a/tests/script_tag_test.py b/tests/script_tag_test.py
@@ -0,0 +1,17 @@
+"""
+# Tests / script tag test
+
+Test cases for the script tag
+"""
+from pyhtml import script
+
+
+def test_script_not_escaped():
+    """
+    Contents of script are not escaped.
+    """
+    assert str(script("<>'\";&")) == "\n".join([
+        "<script type=\"text/javascript\">",
+        "  <>'\";&",
+        "</script>",
+    ])
