Use proper escaping in TokenQueue.escapeCssIdentifier() (#2305)

---------

Co-authored-by: Jonathan Hedley <jonathan@hedley.net>

Author: cketti

src/main/java/org/jsoup/parser/TokenQueue.java

@@ -273,23 +273,74 @@ public static String unescape(String in) {
         return StringUtil.releaseBuilder(out);
     }
 
-    /*
-    Given a CSS identifier (such as a tag, ID, or class), escape any CSS special characters that would otherwise not be
-    valid in a selector.
+    /**
+     Given a CSS identifier (such as a tag, ID, or class), escape any CSS special characters that would otherwise not be
+     valid in a selector.
+
+     @see <a href="https://www.w3.org/TR/cssom-1/#serialize-an-identifier">CSS Object Model, serialize an identifier</a>
      */
     public static String escapeCssIdentifier(String in) {
+        if (in.isEmpty()) return in;
+
         StringBuilder out = StringUtil.borrowBuilder();
         TokenQueue q = new TokenQueue(in);
+
+        char firstChar = q.current();
+        if (firstChar == Hyphen_Minus) {
+            q.advance();
+            if (q.isEmpty()) {
+                // If the character is the first character and is a "-" (U+002D), and there is no second character, then
+                // the escaped character.
+                appendEscaped(out, Hyphen_Minus);
+            } else {
+                out.append(Hyphen_Minus);
+
+                char secondChar = q.current();
+                if (CharacterReader.isDigit(secondChar)) {
+                    // If the character is the second character and is in the range [0-9] (U+0030 to U+0039) and the
+                    // first character is a "-" (U+002D), then the character escaped as code point.
+                    appendEscapedCodepoint(out, q.consume());
+                }
+            }
+        } else if (CharacterReader.isDigit(firstChar)) {
+            // If the character is the first character and is in the range [0-9] (U+0030 to U+0039), then the character
+            // escaped as code point.
+            appendEscapedCodepoint(out, q.consume());
+        }
+
         while (!q.isEmpty()) {
-            if (q.matchesCssIdentifier(CssIdentifierChars)) {
-                out.append(q.consume());
+            // Note: It's fine to iterate on chars because non-ASCII characters are never escaped. So surrogate pairs
+            // are kept intact.
+            char c = q.consume();
+            if (c == Unicode_Null) {
+                // If the character is NULL (U+0000), then the REPLACEMENT CHARACTER (U+FFFD).
+                out.append(Replacement);
+            } else if (c <= '\u001F' || c == '\u007F') {
+                // If the character is in the range [\1-\1f] (U+0001 to U+001F) or is U+007F, then the character
+                // escaped as code point.
+                appendEscapedCodepoint(out, c);
+            } else if (isIdent(c)) {
+                // If the character is not handled by one of the above rules and is greater than or equal to U+0080,
+                // is "-" (U+002D) or "_" (U+005F), or is in one of the ranges [0-9] (U+0030 to U+0039),
+                // [A-Z] (U+0041 to U+005A), or [a-z] (U+0061 to U+007A), then the character itself.
+                out.append(c);
             } else {
-                out.append(Esc).append(q.consume());
+                // Otherwise, the escaped character.
+                appendEscaped(out, c);
             }
         }
+
         return StringUtil.releaseBuilder(out);
     }
 
+    private static void appendEscaped(StringBuilder out, char c) {
+        out.append(Esc).append(c);
+    }
+
+    private static void appendEscapedCodepoint(StringBuilder out, char c) {
+        out.append(Esc).append(Integer.toHexString(c)).append(' ');
+    }
+
     /**
      * Pulls the next run of whitespace characters of the queue.
      * @return Whether consuming whitespace or not

src/main/java/org/jsoup/select/Selector.java

@@ -2,6 +2,7 @@
 
 import org.jsoup.helper.Validate;
 import org.jsoup.nodes.Element;
+import org.jsoup.parser.TokenQueue;
 import org.jspecify.annotations.Nullable;
 
 import java.util.Collection;
@@ -218,6 +219,33 @@ static Elements filterOut(Collection<Element> elements, Collection<Element> outs
         return null;
     }
 
+    /**
+     Given a CSS identifier (such as a tag, ID, or class), escape any CSS special characters that would otherwise not be
+     valid in a selector.
+
+     @see <a href="https://www.w3.org/TR/cssom-1/#serialize-an-identifier">CSS Object Model, serialize an identifier</a>
+     @since 1.20.1
+     */
+    public static String escapeCssIdentifier(String in) {
+        return TokenQueue.escapeCssIdentifier(in);
+    }
+
+    /**
+     Consume a CSS identifier (ID or class) off the queue.
+     <p>Note: For backwards compatibility this method supports improperly formatted CSS identifiers, e.g. {@code 1} instead
+     of {@code \31}.</p>
+
+     @return The unescaped identifier.
+     @throws IllegalArgumentException if an invalid escape sequence was found.
+     @see <a href="https://www.w3.org/TR/css-syntax-3/#consume-name">CSS Syntax Module Level 3, Consume an ident sequence</a>
+     @see <a href="https://www.w3.org/TR/css-syntax-3/#typedef-ident-token">CSS Syntax Module Level 3, ident-token</a>
+     @since 1.20.1
+     */
+    public static String unescapeCssIdentifier(String in) {
+        TokenQueue tq = new TokenQueue(in);
+        return tq.consumeCssIdentifier();
+    }
+
     public static class SelectorParseException extends IllegalStateException {
         public SelectorParseException(String msg) {
             super(msg);

src/test/java/org/jsoup/nodes/ElementTest.java

@@ -2697,6 +2697,26 @@ void prettySerializationRoundTrips(Document.OutputSettings settings) {
         assertSelectedOwnText(selected, "One");
     }
 
+    @Test void cssSelectorCombined() {
+        // https://github.com/jhy/jsoup/issues/1984
+        Document doc = Jsoup.parse("<img class='e\u0301'><p class=👨‍👨‍👧‍👧></p><a class='\uD83D\uDC68\u200D\uD83D\uDC68\u200D\uD83D\uDC67\u200D\uD83D\uDC67'></a>");
+        Element img = doc.expectFirst("img");
+        Element p = doc.expectFirst("p");
+        Element a = doc.expectFirst("a");
+
+        String imgQ = img.cssSelector();
+        String pQ = p.cssSelector();
+        String aQ = a.cssSelector();
+
+        assertEquals("html > body > img.é", imgQ); // previously was img.e\́; chrome gives literal body > img.e\\u0301
+        assertEquals("html > body > p.👨‍👨‍👧‍👧", pQ); // chrome gives body > p.👨‍👨‍👧‍👧
+        assertEquals("html > body > a.👨‍👨‍👧‍👧", aQ); // body > a.👨‍👨‍👧‍👧
+
+        assertSame(img, doc.expectFirst(imgQ));
+        assertSame(p, doc.expectFirst(pQ));
+        assertSame(a, doc.expectFirst(aQ));
+    }
+
     @Test void orphanSiblings() {
         Element el = new Element("div");
         assertEquals(0, el.siblingElements().size());

src/test/java/org/jsoup/parser/TokenQueueTest.java

@@ -54,8 +54,99 @@ public class TokenQueueTest {
         assertEquals("\\&", TokenQueue.unescape("\\\\\\&"));
     }
 
-    @Test public void escapeCssIdentifier() {
-        assertEquals("one\\#two\\.three\\/four\\\\five", TokenQueue.escapeCssIdentifier("one#two.three/four\\five"));
+    @ParameterizedTest
+    @MethodSource("escapeCssIdentifier_WebPlatformTestParameters")
+    @MethodSource("escapeCssIdentifier_additionalParameters")
+    public void escapeCssIdentifier(String expected, String input) {
+        assertEquals(expected, TokenQueue.escapeCssIdentifier(input));
+    }
+
+    // https://github.com/web-platform-tests/wpt/blob/328fa1c67bf5dfa6f24571d4c41dd10224b6d247/css/cssom/escape.html
+    private static Stream<Arguments> escapeCssIdentifier_WebPlatformTestParameters() {
+        return Stream.of(
+            Arguments.of("", ""),
+
+            // Null bytes
+            Arguments.of("\uFFFD", "\0"),
+            Arguments.of("a\uFFFD", "a\0"),
+            Arguments.of("\uFFFDb", "\0b"),
+            Arguments.of("a\uFFFDb", "a\0b"),
+
+            // Replacement character
+            Arguments.of("\uFFFD", "\uFFFD"),
+            Arguments.of("a\uFFFD", "a\uFFFD"),
+            Arguments.of("\uFFFDb", "\uFFFDb"),
+            Arguments.of("a\uFFFDb", "a\uFFFDb"),
+
+            // Number prefix
+            Arguments.of("\\30 a", "0a"),
+            Arguments.of("\\31 a", "1a"),
+            Arguments.of("\\32 a", "2a"),
+            Arguments.of("\\33 a", "3a"),
+            Arguments.of("\\34 a", "4a"),
+            Arguments.of("\\35 a", "5a"),
+            Arguments.of("\\36 a", "6a"),
+            Arguments.of("\\37 a", "7a"),
+            Arguments.of("\\38 a", "8a"),
+            Arguments.of("\\39 a", "9a"),
+
+            // Letter number prefix
+            Arguments.of("a0b", "a0b"),
+            Arguments.of("a1b", "a1b"),
+            Arguments.of("a2b", "a2b"),
+            Arguments.of("a3b", "a3b"),
+            Arguments.of("a4b", "a4b"),
+            Arguments.of("a5b", "a5b"),
+            Arguments.of("a6b", "a6b"),
+            Arguments.of("a7b", "a7b"),
+            Arguments.of("a8b", "a8b"),
+            Arguments.of("a9b", "a9b"),
+
+            // Dash number prefix
+            Arguments.of("-\\30 a", "-0a"),
+            Arguments.of("-\\31 a", "-1a"),
+            Arguments.of("-\\32 a", "-2a"),
+            Arguments.of("-\\33 a", "-3a"),
+            Arguments.of("-\\34 a", "-4a"),
+            Arguments.of("-\\35 a", "-5a"),
+            Arguments.of("-\\36 a", "-6a"),
+            Arguments.of("-\\37 a", "-7a"),
+            Arguments.of("-\\38 a", "-8a"),
+            Arguments.of("-\\39 a", "-9a"),
+
+            // Double dash prefix
+            Arguments.of("--a", "--a"),
+
+            // Various tests
+            Arguments.of("\\1 \\2 \\1e \\1f ", "\u0001\u0002\u001E\u001F"),
+            Arguments.of("\u0080\u002D\u005F\u00A9", "\u0080\u002D\u005F\u00A9"),
+            Arguments.of("\\7f \u0080\u0081\u0082\u0083\u0084\u0085\u0086\u0087\u0088\u0089\u008A\u008B\u008C\u008D\u008E\u008F\u0090\u0091\u0092\u0093\u0094\u0095\u0096\u0097\u0098\u0099\u009A\u009B\u009C\u009D\u009E\u009F", "\u007F\u0080\u0081\u0082\u0083\u0084\u0085\u0086\u0087\u0088\u0089\u008A\u008B\u008C\u008D\u008E\u008F\u0090\u0091\u0092\u0093\u0094\u0095\u0096\u0097\u0098\u0099\u009A\u009B\u009C\u009D\u009E\u009F"),
+            Arguments.of("\u00A0\u00A1\u00A2", "\u00A0\u00A1\u00A2"),
+            Arguments.of("a0123456789b", "a0123456789b"),
+            Arguments.of("abcdefghijklmnopqrstuvwxyz", "abcdefghijklmnopqrstuvwxyz"),
+            Arguments.of("ABCDEFGHIJKLMNOPQRSTUVWXYZ", "ABCDEFGHIJKLMNOPQRSTUVWXYZ"),
+
+            Arguments.of("hello\\\\world", "hello\\world"), // Backslashes get backslash-escaped
+            Arguments.of("hello\u1234world", "hello\u1234world"), // Code points greater than U+0080 are preserved
+            Arguments.of("\\-", "-"), // CSS.escape: Single dash escaped
+
+            Arguments.of("\\ \\!xy", "\u0020\u0021\u0078\u0079"),
+
+            // astral symbol (U+1D306 TETRAGRAM FOR CENTRE)
+            Arguments.of("\uD834\uDF06", "\uD834\uDF06"),
+
+            // lone surrogates
+            Arguments.of("\uDF06", "\uDF06"),
+            Arguments.of("\uD834", "\uD834")
+        );
+    }
+
+    private static Stream<Arguments> escapeCssIdentifier_additionalParameters() {
+        return Stream.of(
+            Arguments.of("one\\#two\\.three\\/four\\\\five", "one#two.three/four\\five"),
+            Arguments.of("-a", "-a"),
+            Arguments.of("--", "--")
+        );
     }
 
     @Test public void chompToIgnoreCase() {

src/test/java/org/jsoup/select/SelectorTest.java

@@ -1461,4 +1461,17 @@ public void testAncestorChain() {
         Element img = doc.expectFirst(q);
         assertEquals("img", img.tagName());
     }
+
+    @Test void escapeCssIdentifier() {
+        // thorough tests are in TokenQueue
+        assertEquals("-\\30 a", Selector.escapeCssIdentifier("-0a"));
+        assertEquals("a0b", Selector.escapeCssIdentifier("a0b"));
+    }
+
+    @Test void unescapeCssIdentifier() {
+        // thorough tests are in TokenQueue
+        assertEquals("-0a", Selector.unescapeCssIdentifier("-\\30 a"));
+        assertEquals("a0b", Selector.unescapeCssIdentifier("a0b"));
+    }
+
 }