[webkit-changes] [WebKit/WebKit] 21df09: in media queries should reject ...

Wed, 18 Mar 2026 11:48:01 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 21df09b4a6b86cdd61f7b1e2269b874b3bf918b1
      
https://github.com/WebKit/WebKit/commit/21df09b4a6b86cdd61f7b1e2269b874b3bf918b1
  Author: Ahmad Saleem <[email protected]>
  Date:   2026-03-18 (Wed, 18 Mar 2026)

  Changed paths:
    M 
LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-img-element/sizes/parse-a-sizes-attribute-display-none-expected.txt
    M 
LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-img-element/sizes/parse-a-sizes-attribute-quirks-mode-expected.txt
    M 
LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-img-element/sizes/parse-a-sizes-attribute-standards-mode-expected.txt
    M 
LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-img-element/sizes/parse-a-sizes-attribute-width-1000px-expected.txt
    M Source/WebCore/css/parser/CSSParserTokenRange.cpp
    M Source/WebCore/css/parser/CSSParserTokenRange.h
    M Source/WebCore/css/query/GenericMediaQueryParser.h

  Log Message:
  -----------
  <general-enclosed> in media queries should reject content with unmatched 
close brackets per <any-value> grammar
https://bugs.webkit.org/show_bug.cgi?id=309966
rdar://172575115

Reviewed by Antti Koivisto.

The CSS spec defines [1] <general-enclosed> as ( <any-value>? ), where 
<any-value>
explicitly forbids [2] bad tokens and unmatched close brackets (], ), }).
WebKit's media query parser was accepting any parenthesized content as
<general-enclosed> without validating this constraint.

This caused `(min-width:0) or (])` to incorrectly match: (]) was accepted as
GeneralEnclosed (evaluating to Unknown), and Kleene logic gives True or Unknown 
= True.
Per spec, (]) should fail to parse as <general-enclosed>, causing the entire 
or-condition
to fail.

[1] https://drafts.csswg.org/mediaqueries-4/#typedef-general-enclosed
[2] https://drafts.csswg.org/css-syntax-3/#typedef-any-value

* Source/WebCore/css/parser/CSSParserTokenRange.h:
* Source/WebCore/css/parser/CSSParserTokenRange.cpp:
(WebCore::CSSParserTokenRange::consumeAnyValue):
Added consumeAnyValue() which validates the <any-value> grammar by rejecting
bad tokens (BadStringToken, BadUrlToken) and unmatched close brackets
(RightParenthesisToken, RightBracketToken, RightBraceToken with non-BlockEnd 
type).

* Source/WebCore/css/query/GenericMediaQueryParser.h:
(WebCore::MQ::GenericMediaQueryParser<ConcreteParser>::consumeQueryInParens):
Use consumeAnyValue() to validate block content before creating GeneralEnclosed,
for both the function-token and parenthesized-block paths.

> Progressions:
* 
LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-img-element/sizes/parse-a-sizes-attribute-display-non
e-expected.txt:
* 
LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-img-element/sizes/parse-a-sizes-attribute-quirks-mode
-expected.txt:
* 
LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-img-element/sizes/parse-a-sizes-attribute-standards-m
ode-expected.txt:
* 
LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-img-element/sizes/parse-a-sizes-attribute-width-1000p
x-expected.txt:

Canonical link: https://commits.webkit.org/309497@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to