fix bug 1615315

Author: Greg Guthe

bleach/html5lib_shim.py

@@ -377,7 +377,12 @@ def __init__(self, tags, strip, consume_entities, **kwargs):
         self.consume_entities = consume_entities
         super(BleachHTMLParser, self).__init__(**kwargs)
 
-    def _parse(self, stream, innerHTML=False, container='div', scripting=False, **kwargs):
+    def _parse(self, stream, innerHTML=False, container='div', scripting=True, **kwargs):
+        # set scripting=True to parse <noscript> as though JS is enabled to
+        # match the expected context in browsers
+        #
+        # https://html.spec.whatwg.org/multipage/scripting.html#the-noscript-element
+        #
         # Override HTMLParser so we can swap out the tokenizer for our own.
         self.innerHTMLMode = innerHTML
         self.container = container

tests/test_clean.py

@@ -771,6 +771,34 @@ def test_nonexistent_namespace():
     assert clean('<d {c}>') == '&lt;d {c}&gt;'
 
 
+# tags that get content passed through (i.e. parsed with parseRCDataRawtext)
+_raw_tags = [
+    "title",
+    "textarea",
+    "script",
+    "style",
+    "noembed",
+    "noframes",
+    "iframe",
+    "xmp",
+]
+
+@pytest.mark.parametrize(
+    "raw_tag, data, expected",
+    [
+        (
+            raw_tag,
+            "<noscript><%s></noscript><img src=x onerror=alert(1) />" % raw_tag,
+            "<noscript><%s></noscript>&lt;img src=x onerror=alert(1) /&gt;" % raw_tag,
+        )
+        for raw_tag in _raw_tags
+    ],
+)
+def test_noscript_rawtag_(raw_tag, data, expected):
+    # refs: bug 1615315 / GHSA-q65m-pv3f-wr5r
+    assert clean(data, tags=["noscript", raw_tag]) == expected
+
+
 def get_ids_and_tests():
     """Retrieves regression tests from data/ directory