Normalize (remove or replace) nulls on body

We were checking that the character data was only a null, not if the data contained a null.

Author: jhy

CHANGES.md

@@ -10,6 +10,7 @@
 * Attribute selector values are now compared literally without trimming. Previously, jsoup trimmed whitespace from selector values and from element attribute values, which could cause mismatches with browser behavior (e.g. `[attr=" foo "]`). Now matches align with the CSS specification and browser engines. [#2380](https://github.com/jhy/jsoup/issues/2380)
 * When using the JDK HttpClient, any system default proxy (`ProxySelector.getDefault()`) was ignored. Now, the system proxy is used if a per-request proxy is not set. [#2388](https://github.com/jhy/jsoup/issues/2388), [#2390](https://github.com/jhy/jsoup/pull/2390)
 * A ValidationException could be thrown in the adoption agency algorithm with particularly broken input. Now logged as a parse error. [#2393](https://github.com/jhy/jsoup/issues/2393)
+* Null characters in the HTML body were not consistently removed; and in foreign content were not correctly replaced. [#2395](https://github.com/jhy/jsoup/issues/2395)
 
 
 ## 1.21.2 (2025-Aug-25)

src/main/java/org/jsoup/parser/HtmlTreeBuilder.java

@@ -407,8 +407,20 @@ void insertCommentNode(Token.Comment token) {
         onNodeInserted(node);
     }
 
-    /** Inserts the provided character token into the current element. */
+    /** Inserts the provided character token into the current element. Any nulls in the data will be removed. */
     void insertCharacterNode(Token.Character characterToken) {
+        insertCharacterNode(characterToken, false);
+    }
+
+    /**
+     Inserts the provided character token into the current element. The tokenizer will have already raised precise character errors.
+
+     @param characterToken the character token to insert
+     @param replace if true, replaces any null chars in the data with the replacement char (U+FFFD). If false, removes
+     null chars.
+     */
+    void insertCharacterNode(Token.Character characterToken, boolean replace) {
+        characterToken.normalizeNulls(replace);
         Element el = currentElement(); // will be doc if no current element; allows for whitespace to be inserted into the doc root object (not on the stack)
         insertCharacterToElement(characterToken, el);
     }

src/main/java/org/jsoup/parser/HtmlTreeBuilderState.java

@@ -286,15 +286,12 @@ private boolean anythingElse(Token t, HtmlTreeBuilder tb) {
             switch (t.type) {
                 case Character: {
                     Token.Character c = t.asCharacter();
-                    if (c.getData().equals(nullString)) {
-                        tb.error(this);
-                        return false;
-                    } else if (tb.framesetOk() && isWhitespace(c)) { // don't check if whitespace if frames already closed
+                    if (tb.framesetOk() && isWhitespace(c)) { // don't check if whitespace if frames already closed
                         tb.reconstructFormattingElements();
                         tb.insertCharacterNode(c);
                     } else {
                         tb.reconstructFormattingElements();
-                        tb.insertCharacterNode(c);
+                        tb.insertCharacterNode(c); // strips nulls
                         tb.framesetOk(false);
                     }
                     break;
@@ -1115,13 +1112,7 @@ boolean anythingElse(Token t, HtmlTreeBuilder tb) {
     InTableText {
         @Override boolean process(Token t, HtmlTreeBuilder tb) {
             if (t.type == Token.TokenType.Character) {
-                Token.Character c = t.asCharacter();
-                if (c.getData().equals(nullString)) {
-                    tb.error(this);
-                    return false;
-                } else {
-                    tb.addPendingTableCharacters(c);
-                }
+                tb.addPendingTableCharacters(t.asCharacter()); // gets to insertCharacterNode, which strips nulls
             } else {
                 // insert gathered table text into the correct element:
                 if (tb.getPendingTableCharacters().size() > 0) {
@@ -1454,13 +1445,7 @@ private void closeCell(HtmlTreeBuilder tb) {
 
             switch (t.type) {
                 case Character:
-                    Token.Character c = t.asCharacter();
-                    if (c.getData().equals(nullString)) {
-                        tb.error(this);
-                        return false;
-                    } else {
-                        tb.insertCharacterNode(c);
-                    }
+                    tb.insertCharacterNode(t.asCharacter());
                     break;
                 case Comment:
                     tb.insertCommentNode(t.asComment());
@@ -1790,12 +1775,10 @@ else if (name.equals("col")) {
             switch (t.type) {
                 case Character:
                     Token.Character c = t.asCharacter();
-                    if (c.getData().equals(nullString))
-                        tb.error(this);
-                    else if (HtmlTreeBuilderState.isWhitespace(c))
+                    if (HtmlTreeBuilderState.isWhitespace(c))
                         tb.insertCharacterNode(c);
                     else {
-                        tb.insertCharacterNode(c);
+                        tb.insertCharacterNode(c, true); // replace nulls
                         tb.framesetOk(false);
                     }
                     break;

src/main/java/org/jsoup/parser/Token.java

@@ -415,6 +415,20 @@ public String toString() {
             return getData();
         }
 
+        /**
+         Normalize null chars in the data. If replace is true, replaces with the replacement char; if false, removes.
+         */
+        public void normalizeNulls(boolean replace) {
+            String data = this.data.value();
+            if (data.indexOf(TokeniserState.nullChar) == -1) return;
+
+            data = (replace ?
+                data.replace(TokeniserState.nullChar, Tokeniser.replacementChar) :
+                data.replace(nullString, ""));
+            this.data.set(data);
+        }
+
+        private static final String nullString = String.valueOf(TokeniserState.nullChar);
     }
 
     final static class CData extends Character {

src/test/java/org/jsoup/parser/HtmlParserTest.java

@@ -856,7 +856,7 @@ private static Stream<Arguments> dupeAttributeData() {
 
     @Test public void handlesNullInData() {
         Document doc = Jsoup.parse("<p id=\u0000>Blah \u0000</p>");
-        assertEquals("<p id=\"\uFFFD\">Blah &#x0;</p>", doc.body().html()); // replaced in attr, NOT replaced in data (but is escaped as control char <0x20)
+        assertEquals("<p id=\"\uFFFD\">Blah</p>", doc.body().html()); // replaced in attr, discarded in data
     }
 
     @Test public void handlesNullInComments() {
@@ -2130,4 +2130,42 @@ static void assertErrorsDoNotContain(String msg, ParseErrorList errors) {
         assertEquals("a < b", data.data());
         assertEquals("<data>a < b</data>", data.outerHtml());
     }
+
+    @Test void dropsNullsFromBody() {
+        // https://github.com/jhy/jsoup/issues/2395
+        String html = "<p>\u0000</p><p>\u0000\u0000</p><p>Hi\u0000</p>";
+
+        Parser parser = Parser.htmlParser();
+        parser.setTrackErrors(10);
+
+        Document doc = Jsoup.parse(html, parser);
+        assertEquals("<p></p>\n<p></p>\n<p>Hi</p>", doc.body().html());
+        assertEquals("Hi", doc.body().text());
+
+        ParseErrorList errors = parser.getErrors();
+        assertEquals(4, errors.size());
+        assertEquals("<1:4>: Unexpected character '\u0000' in input state [Data]", errors.get(0).toString());
+        assertEquals("<1:12>: Unexpected character '\u0000' in input state [Data]", errors.get(1).toString());
+        assertEquals("<1:13>: Unexpected character '\u0000' in input state [Data]", errors.get(2).toString());
+        assertEquals("<1:23>: Unexpected character '\u0000' in input state [Data]", errors.get(3).toString());
+        // todo should we replace that null, for convenience?
+    }
+
+    @Test void replacesNullsInForeign() {
+        String html = "<svg><text>\u0000</text><text>\u0000\u0000</text><text>Hi\u0000</text></svg>";
+        Parser parser = Parser.htmlParser();
+        parser.setTrackErrors(10);
+
+        Document doc = Jsoup.parse(html, parser);
+        assertEquals("<svg>\n <text>�</text><text>��</text><text>Hi�</text>\n</svg>", doc.body().html());
+        assertEquals("���Hi�", doc.body().text());
+
+        ParseErrorList errors = parser.getErrors();
+        assertEquals(4, errors.size());
+        assertEquals("<1:12>: Unexpected character '\u0000' in input state [Data]", errors.get(0).toString());
+        assertEquals("<1:26>: Unexpected character '\u0000' in input state [Data]", errors.get(1).toString());
+        assertEquals("<1:27>: Unexpected character '\u0000' in input state [Data]", errors.get(2).toString());
+        assertEquals("<1:43>: Unexpected character '\u0000' in input state [Data]", errors.get(3).toString());
+
+    }
 }