cloudflare
Elements within `<noscript>` cannot be rewritten
It looks like lol-html currently parses the <noscript> element as RawText, along with the usual candidates like <style> and <iframe>. That's the correct behavior when parsing/tokenizing HTML with the scripting flag enabled.
It begs a question whether lol-html should be pretending to have the scripting flag enabled or disabled. I could see arguments either way, and it would at least be a useful option to have. In the current state, it's impossible to rewrite these elements that will be shown for end users not running JavaScript.
I don't know if there would be any real ramifications to turning the scripting flag on — from what I can see it only affects tokenization/parsing of the <noscript> element. The main downside would be breaking/confusing the parser if the <noscript> contains garbage — but since it should contain HTML in the case where scripting is disabled, valid HTML should be a reasonable expectation here.
Originally posted by @bglw in https://github.com/cloudflare/lol-html/issues/184#issuecomment-1891050746
I would be nice to make it just work as if <noscript> was just a hidden <div>, but technically it's very difficult to support.
Markup like this: <noscript><a href="</noscript> has to close the noscript element, but it wouldn't close anything if we just continued parsing the content as regular HTML. Problems like these have a potential to mess up the rest of the document and enable XSS, so we can't just ignore the edge cases.
We would have to crate a fresh instance of the parser just for the content of the noscript, while making handlers' selectors match elements across the two parsers (so that #context noscript > a matches the right thing).
