On Mon, May 2, 2016 at 8:51 PM, L. David Baron <[email protected]> wrote:
> So, at the very
> least, limiting in the parser isn't effective anymore and we need
> checks at later stages, which hopefully could be done in a
> standardizable way.
Having dynamic fallback checks for anything not currently standardized
is of course perfectly sensible. But we should standardize what we
can.
If the idea is to stop stack overflow, it doesn't make sense to me to
have the check in the parser at all. It should be on the DOM level.
Otherwise, scripts could make an arbitrarily deep stack, like this:
<!DOCTYPE html>
<body><script>
var cur = document.body;
for (var i = 0; i < 10000; i++) {
var child = document.createElement("span");
cur.appendChild(child);
if (child.parentNode != cur) {
break;
}
cur = child;
}
document.body.textContent = i;
</script>
Which outputs 10000. And indeed, removing the last line of the script
causes an immediate tab crash both in Firefox and Chrome. So if this
is a security issue, we're vulnerable right now. If not, we should
probably just standardize the parser limit. If Firefox and Chrome
both have parser depth limits but not script-exposed depth limits,
probably that's because a non-negligible number of sites historically
hit the parser depth limits, but scripts haven't been much of an
issue.
_______________________________________________
dev-platform mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-platform
