Skip to site navigation (Press enter)

[webkit-changes] [286308] trunk

cdumez Tue, 30 Nov 2021 11:25:05 -0800

Title: [286308] trunk

Revision: 286308
Author: [email protected]
Date: 2021-11-30 11:24:15 -0800 (Tue, 30 Nov 2021)

Log Message

Scripting attributes are sometimes not properly stripped from elements when JS is disabled
https://bugs.webkit.org/show_bug.cgi?id=233642
<rdar://63180952>


Reviewed by Geoffrey Garen.

Source/WebCore:

HTMLConstructionSite::mergeAttributesFromTokenIntoElement() was not properly stripping scripting
Element attributes when scripting is disabled, unlike other code paths in HTMLConstructionSite().

Covered by new API tests.

* html/parser/HTMLConstructionSite.cpp:
(WebCore::HTMLConstructionSite::mergeAttributesFromTokenIntoElement):

Tools:

Add API test coverage.

* TestWebKitAPI/Tests/WebKitCocoa/WKWebViewConfiguration.mm:
(TEST):

Modified Paths

trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/html/parser/HTMLConstructionSite.cpp
trunk/Tools/ChangeLog
trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebViewConfiguration.mm

Diff

Modified: trunk/Source/WebCore/ChangeLog (286307 => 286308)


--- trunk/Source/WebCore/ChangeLog	2021-11-30 19:02:31 UTC (rev 286307)
+++ trunk/Source/WebCore/ChangeLog	2021-11-30 19:24:15 UTC (rev 286308)
@@ -1,3 +1,19 @@
+2021-11-30  Chris Dumez  <[email protected]>
+
+        Scripting attributes are sometimes not properly stripped from elements when JS is disabled
+        https://bugs.webkit.org/show_bug.cgi?id=233642
+        <rdar://63180952>
+
+        Reviewed by Geoffrey Garen.
+
+        HTMLConstructionSite::mergeAttributesFromTokenIntoElement() was not properly stripping scripting
+        Element attributes when scripting is disabled, unlike other code paths in HTMLConstructionSite().
+
+        Covered by new API tests.
+
+        * html/parser/HTMLConstructionSite.cpp:
+        (WebCore::HTMLConstructionSite::mergeAttributesFromTokenIntoElement):
+
 2021-11-30  Youenn Fablet  <[email protected]>
 
         Add support for rvfc to MediaPlayerPrivateMediaSourceAVFObjC

Modified: trunk/Source/WebCore/html/parser/HTMLConstructionSite.cpp (286307 => 286308)


--- trunk/Source/WebCore/html/parser/HTMLConstructionSite.cpp	2021-11-30 19:02:31 UTC (rev 286307)
+++ trunk/Source/WebCore/html/parser/HTMLConstructionSite.cpp	2021-11-30 19:24:15 UTC (rev 286308)
@@ -292,6 +292,9 @@
     if (token.attributes().isEmpty())
         return;
 
+    if (!scriptingContentIsAllowed(m_parserContentPolicy))
+        element.stripScriptingAttributes(token.attributes());
+
     for (auto& tokenAttribute : token.attributes()) {
         if (!element.elementData() || !element.findAttributeByName(tokenAttribute.name()))
             element.setAttribute(tokenAttribute.name(), tokenAttribute.value());

Modified: trunk/Tools/ChangeLog (286307 => 286308)


--- trunk/Tools/ChangeLog	2021-11-30 19:02:31 UTC (rev 286307)
+++ trunk/Tools/ChangeLog	2021-11-30 19:24:15 UTC (rev 286308)
@@ -1,3 +1,16 @@
+2021-11-30  Chris Dumez  <[email protected]>
+
+        Scripting attributes are sometimes not properly stripped from elements when JS is disabled
+        https://bugs.webkit.org/show_bug.cgi?id=233642
+        <rdar://63180952>
+
+        Reviewed by Geoffrey Garen.
+
+        Add API test coverage.
+
+        * TestWebKitAPI/Tests/WebKitCocoa/WKWebViewConfiguration.mm:
+        (TEST):
+
 2021-11-30  Tyler Wilcock  <[email protected]>
 
         AX: Reduce repetition in retrieving typed attribute values in AccessibilityUIElementMac

Modified: trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebViewConfiguration.mm (286307 => 286308)


--- trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebViewConfiguration.mm	2021-11-30 19:02:31 UTC (rev 286307)
+++ trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebViewConfiguration.mm	2021-11-30 19:24:15 UTC (rev 286308)
@@ -28,6 +28,7 @@
 #import "HTTPServer.h"
 #import "PlatformUtilities.h"
 #import "TestNavigationDelegate.h"
+#import "TestWKWebView.h"
 #import <WebKit/WKWebView.h>
 #import <WebKit/WKWebViewConfigurationPrivate.h>
 #import <WebKit/WKWebsiteDataStorePrivate.h>
@@ -149,3 +150,25 @@
     EXPECT_FALSE([WKWebView _willUpgradeToHTTPS:[NSURL URLWithString:@"custom-scheme://www.opengl.org/"]]);
     EXPECT_FALSE([WKWebView _willUpgradeToHTTPS:[NSURL URLWithString:@"http://example.com/"]]);
 }
+
+TEST(WebKit, ConfigurationDisableJavaScript)
+{
+    auto configuration = adoptNS([WKWebViewConfiguration new]);
+    EXPECT_TRUE([configuration _allowsJavaScriptMarkup]);
+    [configuration _setAllowsJavaScriptMarkup:NO];
+    auto webView = adoptNS([[TestWKWebView alloc] initWithFrame:CGRectMake(0, 0, 100, 100) configuration:configuration.get()]);
+    [webView synchronouslyLoadHTMLString:@"<body _onload_=\"document.write('FAIL');\">PASS</body>"];
+    NSString *bodyHTML = [webView stringByEvaluatingJavaScript:@"document.body.innerHTML"];
+    EXPECT_WK_STREQ(bodyHTML, @"PASS");
+}
+
+TEST(WebKit, ConfigurationDisableJavaScriptNestedBody)
+{
+    auto configuration = adoptNS([WKWebViewConfiguration new]);
+    EXPECT_TRUE([configuration _allowsJavaScriptMarkup]);
+    [configuration _setAllowsJavaScriptMarkup:NO];
+    auto webView = adoptNS([[TestWKWebView alloc] initWithFrame:CGRectMake(0, 0, 100, 100) configuration:configuration.get()]);
+    [webView synchronouslyLoadHTMLString:@"<table><body _onload_=\"document.write('FAIL');\"></table>"];
+    NSString *bodyHTML = [webView stringByEvaluatingJavaScript:@"document.body.innerHTML"];
+    EXPECT_WK_STREQ(bodyHTML, @"<table></table>");
+}

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes