Disallow consecutive combinators in CSS selectors (#2311)

cketti · web-flow · commit c4dd25ee7257 · 2025-04-25T06:29:04.000+10:00
diff --git a/src/main/java/org/jsoup/select/QueryParser.java b/src/main/java/org/jsoup/select/QueryParser.java
@@ -55,7 +55,7 @@ public static Evaluator parse(String query) {
      Parse the query. We use this simplified expression of the grammar:
      <pre>
      SelectorGroup   ::= Selector (',' Selector)*
-     Selector        ::= SimpleSequence ( Combinator SimpleSequence )*
+     Selector        ::= [ Combinator ] SimpleSequence ( Combinator SimpleSequence )*
      SimpleSequence  ::= [ TypeSelector ] ( ID | Class | Attribute | Pseudo )*
      Pseudo           ::= ':' Name [ '(' SelectorGroup ')' ]
      Combinator      ::= S+         // descendant (whitespace)
@@ -85,8 +85,16 @@ Evaluator parseSelectorGroup() {
     }
 
     Evaluator parseSelector() {
-        // SimpleSequence ( Combinator SimpleSequence )*
-        Evaluator left = parseSimpleSequence();
+        // Selector ::= [ Combinator ] SimpleSequence ( Combinator SimpleSequence )*
+        tq.consumeWhitespace();
+
+        Evaluator left;
+        if (tq.matchesAny(Combinators)) {
+            // e.g. query is "> div"; left side is root element
+            left = new StructuralEvaluator.Root();
+        } else {
+            left = parseSimpleSequence();
+        }
 
         while (true) {
             char combinator = 0;
@@ -117,8 +125,6 @@ Evaluator parseSimpleSequence() {
             left = byTag();
         else if (tq.matchChomp('*'))
             left = new Evaluator.AllElements();
-        else if (tq.matchesAny(Combinators))  // e.g. query is "> div"; type is root element
-            left = new StructuralEvaluator.Root();
 
         // zero or more subclasses (#, ., [)
         while(true) {
diff --git a/src/test/java/org/jsoup/select/QueryParserTest.java b/src/test/java/org/jsoup/select/QueryParserTest.java
@@ -214,4 +214,18 @@ public void exceptOnUnhandledEvaluator() {
             assertThrows(SelectorParseException.class, () -> QueryParser.parse("div:has(p))"));
         assertEquals("Could not parse query 'div:has(p))': unexpected token at ')'", exception.getMessage());
     }
+
+    @Test void consecutiveCombinators() {
+        Selector.SelectorParseException exception1 =
+                assertThrows(Selector.SelectorParseException.class, () -> QueryParser.parse("div>>p"));
+        assertEquals(
+                "Could not parse query 'div>>p': unexpected token at '>p'",
+                exception1.getMessage());
+
+        Selector.SelectorParseException exception2 =
+                assertThrows(Selector.SelectorParseException.class, () -> QueryParser.parse("+ + div"));
+        assertEquals(
+                "Could not parse query '+ + div': unexpected token at '+ div'",
+                exception2.getMessage());
+    }
 }
