Title: [288645] branches/safari-609.4.1.1-branch
- Revision
- 288645
- Author
- alanc...@apple.com
- Date
- 2022-01-26 14:15:10 -0800 (Wed, 26 Jan 2022)
Log Message
Cherry-pick r286308. rdar://problem/85830759
Scripting attributes are sometimes not properly stripped from elements when JS is disabled
https://bugs.webkit.org/show_bug.cgi?id=233642
<rdar://63180952>
Reviewed by Geoffrey Garen.
Source/WebCore:
HTMLConstructionSite::mergeAttributesFromTokenIntoElement() was not properly stripping scripting
Element attributes when scripting is disabled, unlike other code paths in HTMLConstructionSite().
Covered by new API tests.
* html/parser/HTMLConstructionSite.cpp:
(WebCore::HTMLConstructionSite::mergeAttributesFromTokenIntoElement):
Tools:
Add API test coverage.
* TestWebKitAPI/Tests/WebKitCocoa/WKWebViewConfiguration.mm:
(TEST):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@286308 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Diff
Modified: branches/safari-609.4.1.1-branch/Source/WebCore/ChangeLog (288644 => 288645)
--- branches/safari-609.4.1.1-branch/Source/WebCore/ChangeLog 2022-01-26 21:59:56 UTC (rev 288644)
+++ branches/safari-609.4.1.1-branch/Source/WebCore/ChangeLog 2022-01-26 22:15:10 UTC (rev 288645)
@@ -1,3 +1,48 @@
+2022-01-26 Alan Coon <alanc...@apple.com>
+
+ Cherry-pick r286308. rdar://problem/85830759
+
+ Scripting attributes are sometimes not properly stripped from elements when JS is disabled
+ https://bugs.webkit.org/show_bug.cgi?id=233642
+ <rdar://63180952>
+
+ Reviewed by Geoffrey Garen.
+
+ Source/WebCore:
+
+ HTMLConstructionSite::mergeAttributesFromTokenIntoElement() was not properly stripping scripting
+ Element attributes when scripting is disabled, unlike other code paths in HTMLConstructionSite().
+
+ Covered by new API tests.
+
+ * html/parser/HTMLConstructionSite.cpp:
+ (WebCore::HTMLConstructionSite::mergeAttributesFromTokenIntoElement):
+
+ Tools:
+
+ Add API test coverage.
+
+ * TestWebKitAPI/Tests/WebKitCocoa/WKWebViewConfiguration.mm:
+ (TEST):
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@286308 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-11-30 Chris Dumez <cdu...@apple.com>
+
+ Scripting attributes are sometimes not properly stripped from elements when JS is disabled
+ https://bugs.webkit.org/show_bug.cgi?id=233642
+ <rdar://63180952>
+
+ Reviewed by Geoffrey Garen.
+
+ HTMLConstructionSite::mergeAttributesFromTokenIntoElement() was not properly stripping scripting
+ Element attributes when scripting is disabled, unlike other code paths in HTMLConstructionSite().
+
+ Covered by new API tests.
+
+ * html/parser/HTMLConstructionSite.cpp:
+ (WebCore::HTMLConstructionSite::mergeAttributesFromTokenIntoElement):
+
2020-06-16 Russell Epstein <repst...@apple.com>
Cherry-pick r263129. rdar://problem/64428805
Modified: branches/safari-609.4.1.1-branch/Source/WebCore/html/parser/HTMLConstructionSite.cpp (288644 => 288645)
--- branches/safari-609.4.1.1-branch/Source/WebCore/html/parser/HTMLConstructionSite.cpp 2022-01-26 21:59:56 UTC (rev 288644)
+++ branches/safari-609.4.1.1-branch/Source/WebCore/html/parser/HTMLConstructionSite.cpp 2022-01-26 22:15:10 UTC (rev 288645)
@@ -290,6 +290,9 @@
if (token.attributes().isEmpty())
return;
+ if (!scriptingContentIsAllowed(m_parserContentPolicy))
+ element.stripScriptingAttributes(token.attributes());
+
for (auto& tokenAttribute : token.attributes()) {
if (!element.elementData() || !element.findAttributeByName(tokenAttribute.name()))
element.setAttribute(tokenAttribute.name(), tokenAttribute.value());
Modified: branches/safari-609.4.1.1-branch/Tools/ChangeLog (288644 => 288645)
--- branches/safari-609.4.1.1-branch/Tools/ChangeLog 2022-01-26 21:59:56 UTC (rev 288644)
+++ branches/safari-609.4.1.1-branch/Tools/ChangeLog 2022-01-26 22:15:10 UTC (rev 288645)
@@ -1,3 +1,45 @@
+2022-01-26 Alan Coon <alanc...@apple.com>
+
+ Cherry-pick r286308. rdar://problem/85830759
+
+ Scripting attributes are sometimes not properly stripped from elements when JS is disabled
+ https://bugs.webkit.org/show_bug.cgi?id=233642
+ <rdar://63180952>
+
+ Reviewed by Geoffrey Garen.
+
+ Source/WebCore:
+
+ HTMLConstructionSite::mergeAttributesFromTokenIntoElement() was not properly stripping scripting
+ Element attributes when scripting is disabled, unlike other code paths in HTMLConstructionSite().
+
+ Covered by new API tests.
+
+ * html/parser/HTMLConstructionSite.cpp:
+ (WebCore::HTMLConstructionSite::mergeAttributesFromTokenIntoElement):
+
+ Tools:
+
+ Add API test coverage.
+
+ * TestWebKitAPI/Tests/WebKitCocoa/WKWebViewConfiguration.mm:
+ (TEST):
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@286308 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-11-30 Chris Dumez <cdu...@apple.com>
+
+ Scripting attributes are sometimes not properly stripped from elements when JS is disabled
+ https://bugs.webkit.org/show_bug.cgi?id=233642
+ <rdar://63180952>
+
+ Reviewed by Geoffrey Garen.
+
+ Add API test coverage.
+
+ * TestWebKitAPI/Tests/WebKitCocoa/WKWebViewConfiguration.mm:
+ (TEST):
+
2020-06-15 Russell Epstein <repst...@apple.com>
Cherry-pick r262918. rdar://problem/64315999
Modified: branches/safari-609.4.1.1-branch/Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebViewConfiguration.mm (288644 => 288645)
--- branches/safari-609.4.1.1-branch/Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebViewConfiguration.mm 2022-01-26 21:59:56 UTC (rev 288644)
+++ branches/safari-609.4.1.1-branch/Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebViewConfiguration.mm 2022-01-26 22:15:10 UTC (rev 288645)
@@ -26,6 +26,7 @@
#import "config.h"
#import "PlatformUtilities.h"
+#import "TestWKWebView.h"
#import <WebKit/WKWebView.h>
#import <WebKit/WKWebViewConfigurationPrivate.h>
#import <WebKit/WKWebsiteDataStore.h>
@@ -95,3 +96,25 @@
}];
TestWebKitAPI::Util::run(&done);
}
+
+TEST(WebKit, ConfigurationDisableJavaScript)
+{
+ auto configuration = adoptNS([WKWebViewConfiguration new]);
+ EXPECT_TRUE([configuration _allowsJavaScriptMarkup]);
+ [configuration _setAllowsJavaScriptMarkup:NO];
+ auto webView = adoptNS([[TestWKWebView alloc] initWithFrame:CGRectMake(0, 0, 100, 100) configuration:configuration.get()]);
+ [webView synchronouslyLoadHTMLString:@"<body _onload_=\"document.write('FAIL');\">PASS</body>"];
+ NSString *bodyHTML = [webView stringByEvaluatingJavaScript:@"document.body.innerHTML"];
+ EXPECT_WK_STREQ(bodyHTML, @"PASS");
+}
+
+TEST(WebKit, ConfigurationDisableJavaScriptNestedBody)
+{
+ auto configuration = adoptNS([WKWebViewConfiguration new]);
+ EXPECT_TRUE([configuration _allowsJavaScriptMarkup]);
+ [configuration _setAllowsJavaScriptMarkup:NO];
+ auto webView = adoptNS([[TestWKWebView alloc] initWithFrame:CGRectMake(0, 0, 100, 100) configuration:configuration.get()]);
+ [webView synchronouslyLoadHTMLString:@"<table><body _onload_=\"document.write('FAIL');\"></table>"];
+ NSString *bodyHTML = [webView stringByEvaluatingJavaScript:@"document.body.innerHTML"];
+ EXPECT_WK_STREQ(bodyHTML, @"<table></table>");
+}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes