Title: [286399] branches/safari-612-branch
- Revision
- 286399
- Author
- [email protected]
- Date
- 2021-12-01 16:18:16 -0800 (Wed, 01 Dec 2021)
Log Message
Cherry-pick r286308. rdar://problem/63180952
Scripting attributes are sometimes not properly stripped from elements when JS is disabled
https://bugs.webkit.org/show_bug.cgi?id=233642
<rdar://63180952>
Reviewed by Geoffrey Garen.
Source/WebCore:
HTMLConstructionSite::mergeAttributesFromTokenIntoElement() was not properly stripping scripting
Element attributes when scripting is disabled, unlike other code paths in HTMLConstructionSite().
Covered by new API tests.
* html/parser/HTMLConstructionSite.cpp:
(WebCore::HTMLConstructionSite::mergeAttributesFromTokenIntoElement):
Tools:
Add API test coverage.
* TestWebKitAPI/Tests/WebKitCocoa/WKWebViewConfiguration.mm:
(TEST):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@286308 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Diff
Modified: branches/safari-612-branch/Source/WebCore/ChangeLog (286398 => 286399)
--- branches/safari-612-branch/Source/WebCore/ChangeLog 2021-12-02 00:18:12 UTC (rev 286398)
+++ branches/safari-612-branch/Source/WebCore/ChangeLog 2021-12-02 00:18:16 UTC (rev 286399)
@@ -1,5 +1,51 @@
2021-12-01 Alan Coon <[email protected]>
+ Cherry-pick r286308. rdar://problem/63180952
+
+ Scripting attributes are sometimes not properly stripped from elements when JS is disabled
+ https://bugs.webkit.org/show_bug.cgi?id=233642
+ <rdar://63180952>
+
+ Reviewed by Geoffrey Garen.
+
+ Source/WebCore:
+
+ HTMLConstructionSite::mergeAttributesFromTokenIntoElement() was not properly stripping scripting
+ Element attributes when scripting is disabled, unlike other code paths in HTMLConstructionSite().
+
+ Covered by new API tests.
+
+ * html/parser/HTMLConstructionSite.cpp:
+ (WebCore::HTMLConstructionSite::mergeAttributesFromTokenIntoElement):
+
+ Tools:
+
+ Add API test coverage.
+
+ * TestWebKitAPI/Tests/WebKitCocoa/WKWebViewConfiguration.mm:
+ (TEST):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@286308 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-11-30 Chris Dumez <[email protected]>
+
+ Scripting attributes are sometimes not properly stripped from elements when JS is disabled
+ https://bugs.webkit.org/show_bug.cgi?id=233642
+ <rdar://63180952>
+
+ Reviewed by Geoffrey Garen.
+
+ HTMLConstructionSite::mergeAttributesFromTokenIntoElement() was not properly stripping scripting
+ Element attributes when scripting is disabled, unlike other code paths in HTMLConstructionSite().
+
+ Covered by new API tests.
+
+ * html/parser/HTMLConstructionSite.cpp:
+ (WebCore::HTMLConstructionSite::mergeAttributesFromTokenIntoElement):
+
+2021-12-01 Alan Coon <[email protected]>
+
Cherry-pick r285570. rdar://problem/83070565
Fix crash in GraphicsContextCG::endTransparencyLayer
Modified: branches/safari-612-branch/Source/WebCore/html/parser/HTMLConstructionSite.cpp (286398 => 286399)
--- branches/safari-612-branch/Source/WebCore/html/parser/HTMLConstructionSite.cpp 2021-12-02 00:18:12 UTC (rev 286398)
+++ branches/safari-612-branch/Source/WebCore/html/parser/HTMLConstructionSite.cpp 2021-12-02 00:18:16 UTC (rev 286399)
@@ -292,6 +292,9 @@
if (token.attributes().isEmpty())
return;
+ if (!scriptingContentIsAllowed(m_parserContentPolicy))
+ element.stripScriptingAttributes(token.attributes());
+
for (auto& tokenAttribute : token.attributes()) {
if (!element.elementData() || !element.findAttributeByName(tokenAttribute.name()))
element.setAttribute(tokenAttribute.name(), tokenAttribute.value());
Modified: branches/safari-612-branch/Tools/ChangeLog (286398 => 286399)
--- branches/safari-612-branch/Tools/ChangeLog 2021-12-02 00:18:12 UTC (rev 286398)
+++ branches/safari-612-branch/Tools/ChangeLog 2021-12-02 00:18:16 UTC (rev 286399)
@@ -1,5 +1,48 @@
2021-12-01 Alan Coon <[email protected]>
+ Cherry-pick r286308. rdar://problem/63180952
+
+ Scripting attributes are sometimes not properly stripped from elements when JS is disabled
+ https://bugs.webkit.org/show_bug.cgi?id=233642
+ <rdar://63180952>
+
+ Reviewed by Geoffrey Garen.
+
+ Source/WebCore:
+
+ HTMLConstructionSite::mergeAttributesFromTokenIntoElement() was not properly stripping scripting
+ Element attributes when scripting is disabled, unlike other code paths in HTMLConstructionSite().
+
+ Covered by new API tests.
+
+ * html/parser/HTMLConstructionSite.cpp:
+ (WebCore::HTMLConstructionSite::mergeAttributesFromTokenIntoElement):
+
+ Tools:
+
+ Add API test coverage.
+
+ * TestWebKitAPI/Tests/WebKitCocoa/WKWebViewConfiguration.mm:
+ (TEST):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@286308 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-11-30 Chris Dumez <[email protected]>
+
+ Scripting attributes are sometimes not properly stripped from elements when JS is disabled
+ https://bugs.webkit.org/show_bug.cgi?id=233642
+ <rdar://63180952>
+
+ Reviewed by Geoffrey Garen.
+
+ Add API test coverage.
+
+ * TestWebKitAPI/Tests/WebKitCocoa/WKWebViewConfiguration.mm:
+ (TEST):
+
+2021-12-01 Alan Coon <[email protected]>
+
Cherry-pick r285720. rdar://problem/83941760
WebKit is unable to recover if a WebProcess gets terminated while it is launching
Modified: branches/safari-612-branch/Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebViewConfiguration.mm (286398 => 286399)
--- branches/safari-612-branch/Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebViewConfiguration.mm 2021-12-02 00:18:12 UTC (rev 286398)
+++ branches/safari-612-branch/Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebViewConfiguration.mm 2021-12-02 00:18:16 UTC (rev 286399)
@@ -28,6 +28,7 @@
#import "HTTPServer.h"
#import "PlatformUtilities.h"
#import "TestNavigationDelegate.h"
+#import "TestWKWebView.h"
#import <WebKit/WKWebView.h>
#import <WebKit/WKWebViewConfigurationPrivate.h>
#import <WebKit/WKWebsiteDataStorePrivate.h>
@@ -149,3 +150,25 @@
EXPECT_FALSE([WKWebView _willUpgradeToHTTPS:[NSURL URLWithString:@"custom-scheme://www.opengl.org/"]]);
EXPECT_FALSE([WKWebView _willUpgradeToHTTPS:[NSURL URLWithString:@"http://example.com/"]]);
}
+
+TEST(WebKit, ConfigurationDisableJavaScript)
+{
+ auto configuration = adoptNS([WKWebViewConfiguration new]);
+ EXPECT_TRUE([configuration _allowsJavaScriptMarkup]);
+ [configuration _setAllowsJavaScriptMarkup:NO];
+ auto webView = adoptNS([[TestWKWebView alloc] initWithFrame:CGRectMake(0, 0, 100, 100) configuration:configuration.get()]);
+ [webView synchronouslyLoadHTMLString:@"<body _onload_=\"document.write('FAIL');\">PASS</body>"];
+ NSString *bodyHTML = [webView stringByEvaluatingJavaScript:@"document.body.innerHTML"];
+ EXPECT_WK_STREQ(bodyHTML, @"PASS");
+}
+
+TEST(WebKit, ConfigurationDisableJavaScriptNestedBody)
+{
+ auto configuration = adoptNS([WKWebViewConfiguration new]);
+ EXPECT_TRUE([configuration _allowsJavaScriptMarkup]);
+ [configuration _setAllowsJavaScriptMarkup:NO];
+ auto webView = adoptNS([[TestWKWebView alloc] initWithFrame:CGRectMake(0, 0, 100, 100) configuration:configuration.get()]);
+ [webView synchronouslyLoadHTMLString:@"<table><body _onload_=\"document.write('FAIL');\"></table>"];
+ NSString *bodyHTML = [webView stringByEvaluatingJavaScript:@"document.body.innerHTML"];
+ EXPECT_WK_STREQ(bodyHTML, @"<table></table>");
+}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
