- Revision
- 286310
- Author
- [email protected]
- Date
- 2021-11-30 11:34:38 -0800 (Tue, 30 Nov 2021)
Log Message
Constructing a FormData from a form can lead to entries with lone surrogates
https://bugs.webkit.org/show_bug.cgi?id=225299
Patch by Andreu Botella <[email protected]> on 2021-11-30
Reviewed by Chris Dumez.
LayoutTests/imported/w3c:
* web-platform-tests/html/semantics/forms/form-submission-0/form-data-set-usv-expected.txt:
Source/WebCore:
According to the HTML specification, names and non-file values in a form's entry list are
scalar value strings. While this is enforced through WebIDL when the entries are added
through the FormData web API, entries that come directly from form controls can contain lone
surrogates. What's more, when a form payload is created from such an entry list, those lone
surrogates can end up encoded as invalid UTF-8.
Since names and non-file values being scalar value strings is an invariant of entry lists,
this change modifies the createFileEntry function in DOMFormData.cpp to replace lone
surrogates in the entry name, and adds a corresponding createStringEntry function, in order
to ensure that every item of the entry list fulfills this invariant.
Tests: imported/w3c/web-platform-tests/html/semantics/forms/form-submission-0/form-data-set-usv.html
* html/DOMFormData.cpp:
(WebCore::createStringEntry): Added to mirror createFileEntry. Replaces lone surrogates in
the name and value.
(WebCore::createFileEntry): Moved from DOMFormData::createFileEntry, and changed to replace
lone surrogates in the entry name.
(WebCore::DOMFormData::append): Changed to use createStringEntry.
(WebCore::DOMFormData::createFileEntry): Moved to createFileEntry.
* html/DOMFormData.h:
Modified Paths
Diff
Modified: trunk/LayoutTests/imported/w3c/ChangeLog (286309 => 286310)
--- trunk/LayoutTests/imported/w3c/ChangeLog 2021-11-30 19:25:08 UTC (rev 286309)
+++ trunk/LayoutTests/imported/w3c/ChangeLog 2021-11-30 19:34:38 UTC (rev 286310)
@@ -1,3 +1,12 @@
+2021-11-30 Andreu Botella <[email protected]>
+
+ Constructing a FormData from a form can lead to entries with lone surrogates
+ https://bugs.webkit.org/show_bug.cgi?id=225299
+
+ Reviewed by Chris Dumez.
+
+ * web-platform-tests/html/semantics/forms/form-submission-0/form-data-set-usv-expected.txt:
+
2021-11-30 Martin Robinson <[email protected]>
Transition from perspective(500px) to 'none' is probably wrong
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/forms/form-submission-0/form-data-set-usv-expected.txt (286309 => 286310)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/forms/form-submission-0/form-data-set-usv-expected.txt 2021-11-30 19:25:08 UTC (rev 286309)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/forms/form-submission-0/form-data-set-usv-expected.txt 2021-11-30 19:34:38 UTC (rev 286310)
@@ -1,5 +1,5 @@
-FAIL Strings from form controls should be converted to Unicode scalar values in form submission assert_equals: expected "69 6e 70 75 74 31 ef bf bd 3d 69 6e 70 75 74 31 ef bf bd 0d 0a 69 6e 70 75 74 32 ef bf bd 3d 69 6e 70 75 74 32 ef bf bd 0d 0a 69 6e 70 75 74 33 ef bf bd 3d 69 6e 70 75 74 33 ef bf bd 0d 0a 69 6e 70 75 74 34 ef bf bd 3d 69 6e 70 75 74 34 ef bf bd 0d 0a" but got "69 6e 70 75 74 31 ed b0 81 3d 69 6e 70 75 74 31 ed b0 81 0d 0a 69 6e 70 75 74 32 ed b0 81 3d 69 6e 70 75 74 32 ed b0 81 0d 0a 69 6e 70 75 74 33 ed b0 81 3d 69 6e 70 75 74 33 ed b0 81 0d 0a 69 6e 70 75 74 34 ed b0 81 3d 69 6e 70 75 74 34 ed b0 81 0d 0a"
-FAIL Strings from form controls should be converted to Unicode scalar values in FormData assert_equals: expected (string) "input1\ufffd" but got (object) null
+PASS Strings from form controls should be converted to Unicode scalar values in form submission
+PASS Strings from form controls should be converted to Unicode scalar values in FormData
Modified: trunk/Source/WebCore/ChangeLog (286309 => 286310)
--- trunk/Source/WebCore/ChangeLog 2021-11-30 19:25:08 UTC (rev 286309)
+++ trunk/Source/WebCore/ChangeLog 2021-11-30 19:34:38 UTC (rev 286310)
@@ -1,3 +1,32 @@
+2021-11-30 Andreu Botella <[email protected]>
+
+ Constructing a FormData from a form can lead to entries with lone surrogates
+ https://bugs.webkit.org/show_bug.cgi?id=225299
+
+ Reviewed by Chris Dumez.
+
+ According to the HTML specification, names and non-file values in a form's entry list are
+ scalar value strings. While this is enforced through WebIDL when the entries are added
+ through the FormData web API, entries that come directly from form controls can contain lone
+ surrogates. What's more, when a form payload is created from such an entry list, those lone
+ surrogates can end up encoded as invalid UTF-8.
+
+ Since names and non-file values being scalar value strings is an invariant of entry lists,
+ this change modifies the createFileEntry function in DOMFormData.cpp to replace lone
+ surrogates in the entry name, and adds a corresponding createStringEntry function, in order
+ to ensure that every item of the entry list fulfills this invariant.
+
+ Tests: imported/w3c/web-platform-tests/html/semantics/forms/form-submission-0/form-data-set-usv.html
+
+ * html/DOMFormData.cpp:
+ (WebCore::createStringEntry): Added to mirror createFileEntry. Replaces lone surrogates in
+ the name and value.
+ (WebCore::createFileEntry): Moved from DOMFormData::createFileEntry, and changed to replace
+ lone surrogates in the entry name.
+ (WebCore::DOMFormData::append): Changed to use createStringEntry.
+ (WebCore::DOMFormData::createFileEntry): Moved to createFileEntry.
+ * html/DOMFormData.h:
+
2021-11-30 Gabriel Nava Marino <[email protected]>
Use scriptDisallowedScope in FrameSelection::updateAppearance
Modified: trunk/Source/WebCore/html/DOMFormData.cpp (286309 => 286310)
--- trunk/Source/WebCore/html/DOMFormData.cpp 2021-11-30 19:25:08 UTC (rev 286309)
+++ trunk/Source/WebCore/html/DOMFormData.cpp 2021-11-30 19:34:38 UTC (rev 286310)
@@ -69,21 +69,32 @@
return newFormData;
}
-// https://xhr.spec.whatwg.org/#create-an-entry
-auto DOMFormData::createFileEntry(const String& name, Blob& blob, const String& filename) -> Item
+// https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#create-an-entry
+static auto createStringEntry(const String& name, const String& value) -> DOMFormData::Item
{
+ return {
+ replaceUnpairedSurrogatesWithReplacementCharacter(String(name)),
+ replaceUnpairedSurrogatesWithReplacementCharacter(String(value)),
+ };
+}
+
+// https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#create-an-entry
+static auto createFileEntry(const String& name, Blob& blob, const String& filename) -> DOMFormData::Item
+{
+ auto usvName = replaceUnpairedSurrogatesWithReplacementCharacter(String(name));
+
if (!blob.isFile())
- return { name, File::create(blob.scriptExecutionContext(), blob, filename.isNull() ? "blob"_s : filename) };
-
+ return { usvName, File::create(blob.scriptExecutionContext(), blob, filename.isNull() ? "blob"_s : filename) };
+
if (!filename.isNull())
- return { name, File::create(blob.scriptExecutionContext(), downcast<File>(blob), filename) };
+ return { usvName, File::create(blob.scriptExecutionContext(), downcast<File>(blob), filename) };
- return { name, RefPtr<File> { &downcast<File>(blob) } };
+ return { usvName, RefPtr<File> { &downcast<File>(blob) } };
}
void DOMFormData::append(const String& name, const String& value)
{
- m_items.append({ name, value });
+ m_items.append(createStringEntry(name, value));
}
void DOMFormData::append(const String& name, Blob& blob, const String& filename)
Modified: trunk/Source/WebCore/html/DOMFormData.h (286309 => 286310)
--- trunk/Source/WebCore/html/DOMFormData.h 2021-11-30 19:25:08 UTC (rev 286309)
+++ trunk/Source/WebCore/html/DOMFormData.h 2021-11-30 19:34:38 UTC (rev 286310)
@@ -80,7 +80,6 @@
private:
explicit DOMFormData(const TextEncoding& = UTF8Encoding());
- Item createFileEntry(const String& name, Blob&, const String& filename);
void set(const String& name, Item&&);
TextEncoding m_encoding;
