Crash fix: Avoid using stale HTMLToken after tree construction

third_party/WebKit/LayoutTests/fast/parser/strip-script-attrs-on-input.html

Index: third_party/WebKit/LayoutTests/fast/parser/strip-script-attrs-on-input.html
diff --git a/third_party/WebKit/LayoutTests/fast/parser/strip-script-attrs-on-input.html b/third_party/WebKit/LayoutTests/fast/parser/strip-script-attrs-on-input.html
new file mode 100644
index 0000000000000000000000000000000000000000..feba9acb85f7a80019695b511131aedc3313c0ca
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/fast/parser/strip-script-attrs-on-input.html
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<body>
+<div contenteditable="true" id="target">
+    <!-- Blink will remove javascript url attrs when copy&pasted. -->
+    <input onblur="javascript:false;" onclick="javascript:false;" type="text"/>
+</div>
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+
+requestAnimationFrame(function() {
+    var target = document.getElementById("target");
+    var selection = window.getSelection();
+    var range = document.createRange();
+    range.selectNodeContents(target);
+    selection.addRange(range);
+
+    // Invoke HTML parser with ParserContentPolicy disabling scripting content.
+    document.execCommand("Cut");
+    document.execCommand("Paste");
+
+    target.innerHTML = '';
+    testRunner.notifyDone();
+});
+</script>
+<p>PASS: if no OOB access detected in ASAN.</p>
+</body>