Title: [288628] branches/safari-611.3.10.1-branch
- Revision
- 288628
- Author
- [email protected]
- Date
- 2022-01-26 10:04:26 -0800 (Wed, 26 Jan 2022)
Log Message
Cherry-pick r286308. rdar://problem/85830732
Scripting attributes are sometimes not properly stripped from elements when JS is disabled
https://bugs.webkit.org/show_bug.cgi?id=233642
<rdar://63180952>
Reviewed by Geoffrey Garen.
Source/WebCore:
HTMLConstructionSite::mergeAttributesFromTokenIntoElement() was not properly stripping scripting
Element attributes when scripting is disabled, unlike other code paths in HTMLConstructionSite().
Covered by new API tests.
* html/parser/HTMLConstructionSite.cpp:
(WebCore::HTMLConstructionSite::mergeAttributesFromTokenIntoElement):
Tools:
Add API test coverage.
* TestWebKitAPI/Tests/WebKitCocoa/WKWebViewConfiguration.mm:
(TEST):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@286308 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Diff
Modified: branches/safari-611.3.10.1-branch/Source/WebCore/ChangeLog (288627 => 288628)
--- branches/safari-611.3.10.1-branch/Source/WebCore/ChangeLog 2022-01-26 18:01:02 UTC (rev 288627)
+++ branches/safari-611.3.10.1-branch/Source/WebCore/ChangeLog 2022-01-26 18:04:26 UTC (rev 288628)
@@ -1,3 +1,48 @@
+2022-01-26 Alan Coon <[email protected]>
+
+ Cherry-pick r286308. rdar://problem/85830732
+
+ Scripting attributes are sometimes not properly stripped from elements when JS is disabled
+ https://bugs.webkit.org/show_bug.cgi?id=233642
+ <rdar://63180952>
+
+ Reviewed by Geoffrey Garen.
+
+ Source/WebCore:
+
+ HTMLConstructionSite::mergeAttributesFromTokenIntoElement() was not properly stripping scripting
+ Element attributes when scripting is disabled, unlike other code paths in HTMLConstructionSite().
+
+ Covered by new API tests.
+
+ * html/parser/HTMLConstructionSite.cpp:
+ (WebCore::HTMLConstructionSite::mergeAttributesFromTokenIntoElement):
+
+ Tools:
+
+ Add API test coverage.
+
+ * TestWebKitAPI/Tests/WebKitCocoa/WKWebViewConfiguration.mm:
+ (TEST):
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@286308 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-11-30 Chris Dumez <[email protected]>
+
+ Scripting attributes are sometimes not properly stripped from elements when JS is disabled
+ https://bugs.webkit.org/show_bug.cgi?id=233642
+ <rdar://63180952>
+
+ Reviewed by Geoffrey Garen.
+
+ HTMLConstructionSite::mergeAttributesFromTokenIntoElement() was not properly stripping scripting
+ Element attributes when scripting is disabled, unlike other code paths in HTMLConstructionSite().
+
+ Covered by new API tests.
+
+ * html/parser/HTMLConstructionSite.cpp:
+ (WebCore::HTMLConstructionSite::mergeAttributesFromTokenIntoElement):
+
2021-08-21 Kocsen Chung <[email protected]>
Cherry-pick r281384. rdar://problem/82195071
Modified: branches/safari-611.3.10.1-branch/Source/WebCore/html/parser/HTMLConstructionSite.cpp (288627 => 288628)
--- branches/safari-611.3.10.1-branch/Source/WebCore/html/parser/HTMLConstructionSite.cpp 2022-01-26 18:01:02 UTC (rev 288627)
+++ branches/safari-611.3.10.1-branch/Source/WebCore/html/parser/HTMLConstructionSite.cpp 2022-01-26 18:04:26 UTC (rev 288628)
@@ -290,6 +290,9 @@
if (token.attributes().isEmpty())
return;
+ if (!scriptingContentIsAllowed(m_parserContentPolicy))
+ element.stripScriptingAttributes(token.attributes());
+
for (auto& tokenAttribute : token.attributes()) {
if (!element.elementData() || !element.findAttributeByName(tokenAttribute.name()))
element.setAttribute(tokenAttribute.name(), tokenAttribute.value());
Modified: branches/safari-611.3.10.1-branch/Tools/ChangeLog (288627 => 288628)
--- branches/safari-611.3.10.1-branch/Tools/ChangeLog 2022-01-26 18:01:02 UTC (rev 288627)
+++ branches/safari-611.3.10.1-branch/Tools/ChangeLog 2022-01-26 18:04:26 UTC (rev 288628)
@@ -1,3 +1,45 @@
+2022-01-26 Alan Coon <[email protected]>
+
+ Cherry-pick r286308. rdar://problem/85830732
+
+ Scripting attributes are sometimes not properly stripped from elements when JS is disabled
+ https://bugs.webkit.org/show_bug.cgi?id=233642
+ <rdar://63180952>
+
+ Reviewed by Geoffrey Garen.
+
+ Source/WebCore:
+
+ HTMLConstructionSite::mergeAttributesFromTokenIntoElement() was not properly stripping scripting
+ Element attributes when scripting is disabled, unlike other code paths in HTMLConstructionSite().
+
+ Covered by new API tests.
+
+ * html/parser/HTMLConstructionSite.cpp:
+ (WebCore::HTMLConstructionSite::mergeAttributesFromTokenIntoElement):
+
+ Tools:
+
+ Add API test coverage.
+
+ * TestWebKitAPI/Tests/WebKitCocoa/WKWebViewConfiguration.mm:
+ (TEST):
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@286308 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-11-30 Chris Dumez <[email protected]>
+
+ Scripting attributes are sometimes not properly stripped from elements when JS is disabled
+ https://bugs.webkit.org/show_bug.cgi?id=233642
+ <rdar://63180952>
+
+ Reviewed by Geoffrey Garen.
+
+ Add API test coverage.
+
+ * TestWebKitAPI/Tests/WebKitCocoa/WKWebViewConfiguration.mm:
+ (TEST):
+
2021-06-15 Alan Coon <[email protected]>
Cherry-pick r278318. rdar://problem/79355222
Modified: branches/safari-611.3.10.1-branch/Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebViewConfiguration.mm (288627 => 288628)
--- branches/safari-611.3.10.1-branch/Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebViewConfiguration.mm 2022-01-26 18:01:02 UTC (rev 288627)
+++ branches/safari-611.3.10.1-branch/Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebViewConfiguration.mm 2022-01-26 18:04:26 UTC (rev 288628)
@@ -26,6 +26,7 @@
#import "config.h"
#import "PlatformUtilities.h"
+#import "TestWKWebView.h"
#import <WebKit/WKWebView.h>
#import <WebKit/WKWebViewConfigurationPrivate.h>
#import <WebKit/WKWebsiteDataStore.h>
@@ -95,3 +96,25 @@
}];
TestWebKitAPI::Util::run(&done);
}
+
+TEST(WebKit, ConfigurationDisableJavaScript)
+{
+ auto configuration = adoptNS([WKWebViewConfiguration new]);
+ EXPECT_TRUE([configuration _allowsJavaScriptMarkup]);
+ [configuration _setAllowsJavaScriptMarkup:NO];
+ auto webView = adoptNS([[TestWKWebView alloc] initWithFrame:CGRectMake(0, 0, 100, 100) configuration:configuration.get()]);
+ [webView synchronouslyLoadHTMLString:@"<body _onload_=\"document.write('FAIL');\">PASS</body>"];
+ NSString *bodyHTML = [webView stringByEvaluatingJavaScript:@"document.body.innerHTML"];
+ EXPECT_WK_STREQ(bodyHTML, @"PASS");
+}
+
+TEST(WebKit, ConfigurationDisableJavaScriptNestedBody)
+{
+ auto configuration = adoptNS([WKWebViewConfiguration new]);
+ EXPECT_TRUE([configuration _allowsJavaScriptMarkup]);
+ [configuration _setAllowsJavaScriptMarkup:NO];
+ auto webView = adoptNS([[TestWKWebView alloc] initWithFrame:CGRectMake(0, 0, 100, 100) configuration:configuration.get()]);
+ [webView synchronouslyLoadHTMLString:@"<table><body _onload_=\"document.write('FAIL');\"></table>"];
+ NSString *bodyHTML = [webView stringByEvaluatingJavaScript:@"document.body.innerHTML"];
+ EXPECT_WK_STREQ(bodyHTML, @"<table></table>");
+}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
