[webkit-changes] [WebKit/WebKit] adb5da: Fix scanEscapedAttributeValue() in HTML fast path ...

Mon, 30 Mar 2026 01:34:40 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: adb5daa54873a149d9a2a74f304801788e444778
      
https://github.com/WebKit/WebKit/commit/adb5daa54873a149d9a2a74f304801788e444778
  Author: Chris Dumez <[email protected]>
  Date:   2026-03-30 (Mon, 30 Mar 2026)

  Changed paths:
    M Source/WebCore/html/parser/HTMLDocumentParserFastPath.cpp
    M Source/WebCore/html/parser/HTMLEntityParser.cpp
    M Source/WebCore/html/parser/HTMLEntityParser.h
    M Tools/TestWebKitAPI/Tests/WebCore/HTMLParserIdioms.cpp

  Log Message:
  -----------
  Fix scanEscapedAttributeValue() in HTML fast path parser only processing one 
character
https://bugs.webkit.org/show_bug.cgi?id=310960

Reviewed by Ryosuke Niwa.

`scanEscapedAttributeValue()` used an `if` instead of a `while` to iterate
over characters in the attribute value. This caused it to process only a
single character or entity reference, then immediately expect the closing
quote. Any attribute value with more than one special character or with
text surrounding an entity (e.g. title="a&amp;b") would fail to parse,
causing an unnecessary fallback to the slow HTML parser.

Also added a missing null byte check in the loop body, matching the
existing check in the analogous `scanEscapedText()`.

Also plumbed the `additionalAllowedCharacter` parameter through to
`consumeHTMLEntity()` for `StringParsingBuffer` overloads, and passed
the quote character from `scanEscapedAttributeValue()`. Per the HTML
spec, named character references without a trailing semicolon that are
followed by an alphanumeric character or `=` must not be consumed in
attribute values. Without this, the fast path would incorrectly consume
entities like `&AElig` followed by `X` in attributes, producing output
that differs from the full parser. This was caught by the
fast/tokenizer/entities-02.html test after I fixed the HTML fast
parser bug in `scanEscapedAttributeValue()`.

Test: Tools/TestWebKitAPI/Tests/WebCore/HTMLParserIdioms.cpp

* Source/WebCore/html/parser/HTMLDocumentParserFastPath.cpp:
(WebCore::HTMLFastPathParser::scanEscapedAttributeValue):
(WebCore::HTMLFastPathParser::scanHTMLCharacterReference):
* Source/WebCore/html/parser/HTMLEntityParser.cpp:
(WebCore::consumeHTMLEntity):
* Source/WebCore/html/parser/HTMLEntityParser.h:
* Tools/TestWebKitAPI/Tests/WebCore/HTMLParserIdioms.cpp:
(TestWebKitAPI::TEST(WebCoreHTMLParser, FastPathEscapedAttributeValues)):
(TestWebKitAPI::TEST(WebCoreHTMLParser, 
FastPathRejectsNullInEscapedAttributeValue)):
(TestWebKitAPI::TEST(WebCoreHTMLParser, 
FastPathEntityWithoutSemicolonInAttributeValue)):

Canonical link: https://commits.webkit.org/310209@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to