Canonicalize enforced attrs in Cleaner

Prevent duplicate enforced attributes in cleaned preserve-case documents by replacing case-variant source attrs during the enforced-attr merge.

Fixes #2476

Author: jhy

CHANGES.md

@@ -7,6 +7,7 @@
 * In `NodeTraversor`, removing or replacing the current node during `head()` no longer re-visits the replacement node, preventing loops. Traversal now continues correctly from nodes that occupy the original position after mutation, and will not advance past the original root subtree. Also, clarified in the documentation which inserted nodes are visited during the current traversal. [#2472](https://github.com/jhy/jsoup/issues/2472)
 * Parsing during charset sniffing no longer fails if an advisory `available()` call throws `IOException`, as seen on JDK 8 `HttpURLConnection`. [#2474](https://github.com/jhy/jsoup/issues/2474)
 * `Cleaner` no longer makes relative URL attributes in the input document absolute when cleaning or validating a `Document`. URL normalization now applies only to the cleaned output, and `Safelist.isSafeAttribute()` is side effect free. [#2475](https://github.com/jhy/jsoup/issues/2475)
+* `Cleaner` no longer duplicates enforced attributes when the input `Document` preserves attribute case. A case-variant source attribute is now replaced by the enforced attribute in the cleaned output. [#2476](https://github.com/jhy/jsoup/issues/2476)
 
 ## 1.22.1 (2026-Jan-01)
 

src/main/java/org/jsoup/safety/Cleaner.java

@@ -215,7 +215,11 @@ private ElementMeta createSafeElement(Element sourceEl) {
             }
         }
 
-        destAttrs.addAll(enforcedAttrs);
+        // apply enforced attributes case-insensitively, so a preserved-case source attr is canonicalized to the enforced key
+        for (Attribute enforcedAttr : enforcedAttrs) {
+            destAttrs.removeIgnoreCase(enforcedAttr.getKey());
+            destAttrs.put(enforcedAttr.getKey(), enforcedAttr.getValue());
+        }
         dest.attributes().addAll(destAttrs); // re-attach, if removed in clear
         return new ElementMeta(dest, numDiscarded);
     }

src/test/java/org/jsoup/safety/CleanerTest.java

@@ -579,6 +579,29 @@ void cleansCaseSensitiveElements(boolean preserveCase) {
         assertEquals("<a href=\"http://external.com/\" rel=\"nofollow\">One</a> <a href=\"/relative/\">Two</a> <a href=\"../other/\">Three</a> <a href=\"http://example.com/bar\" rel=\"nofollow\">Four</a>", clean4);
     }
 
+    @Test void canonicalizesEnforcedAttributes() {
+        Document customDirty = Jsoup.parse("<a REL='external'>One</a>", "",
+            Parser.htmlParser().settings(ParseSettings.preserveCase));
+        Cleaner customCleaner = new Cleaner(Safelist.none()
+            .addTags("a")
+            .addEnforcedAttribute("a", "rel", "external"));
+        assertEquals("<a rel=\"external\">One</a>", customCleaner.clean(customDirty).body().html());
+    }
+
+    @Test void canonicalizesNofollowEnforcedAttribute() {
+        Document dirty = Jsoup.parse("<a href='http://external.com/' REL='nofollow'>One</a>", "",
+            Parser.htmlParser().settings(ParseSettings.preserveCase));
+        Cleaner cleaner = new Cleaner(Safelist.basic());
+        assertEquals("<a href=\"http://external.com/\" rel=\"nofollow\">One</a>", cleaner.clean(dirty).body().html());
+    }
+
+    @Test void preservesMatchingSourceNofollowWhenEnforcementSuppressed() {
+        Document dirty = Jsoup.parse("<a href='http://example.com/foo' REL='nofollow'>One</a>", "http://example.com/",
+            Parser.htmlParser().settings(ParseSettings.preserveCase));
+        Cleaner cleaner = new Cleaner(Safelist.basic());
+        assertEquals("<a href=\"http://example.com/foo\" REL=\"nofollow\">One</a>", cleaner.clean(dirty).body().html());
+    }
+
     @Test void discardsSvgScriptData() {
         // https://github.com/jhy/jsoup/issues/2320
         Safelist svgOk = Safelist.none().addTags("svg");