Block HTML Imports from loading when inserted via innerHTML.

third_party/WebKit/Source/core/html/parser/HTMLConstructionSite.cpp

 /*
  * Copyright (C) 2010 Google, Inc. All Rights Reserved.
  * Copyright (C) 2011 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
@@ skipping 20 matching lines @@
 #include "core/dom/Comment.h"
 #include "core/dom/DocumentFragment.h"
 #include "core/dom/DocumentType.h"
 #include "core/dom/Element.h"
 #include "core/dom/ScriptLoader.h"
 #include "core/dom/TemplateContentDocumentFragment.h"
 #include "core/dom/Text.h"
 #include "core/frame/LocalFrame.h"
 #include "core/html/HTMLFormElement.h"
 #include "core/html/HTMLHtmlElement.h"
+#include "core/html/HTMLLinkElement.h"
 #include "core/html/HTMLPlugInElement.h"
 #include "core/html/HTMLScriptElement.h"
 #include "core/html/HTMLTemplateElement.h"
 #include "core/html/parser/AtomicHTMLToken.h"
 #include "core/html/parser/HTMLParserIdioms.h"
 #include "core/html/parser/HTMLStackItem.h"
 #include "core/html/parser/HTMLToken.h"
 #include "core/loader/FrameLoader.h"
 #include "core/loader/FrameLoaderClient.h"
 #include "core/svg/SVGScriptElement.h"
@@ skipping 568 matching lines @@
 void HTMLConstructionSite::insertHTMLElement(AtomicHTMLToken* token)
 {
     RefPtrWillBeRawPtr<HTMLElement> element = createHTMLElement(token);
     attachLater(currentNode(), element);
     m_openElements.push(HTMLStackItem::create(element.release(), token));
 }
 
 void HTMLConstructionSite::insertSelfClosingHTMLElementDestroyingToken(AtomicHTMLToken* token)
 {
     ASSERT(token->type() == HTMLToken::StartTag);
+
+    // Link tags require special processing in order to ensure that they don't execute script when
+    // they ought not to.
+    if (token->name() == linkTag) {
+        insertLinkElement(token);

[dglazkov, 2016/02/05 18:25:53]

Would it be better to just split linkTag from
https://code.google.com/p/chromium/codesearch#chromium/src/third_party/WebKit...

+        return;
+    }
+
     // Normally HTMLElementStack is responsible for calling finishParsingChildren,
     // but self-closing elements are never in the element stack so the stack
     // doesn't get a chance to tell them that we're done parsing their children.
     attachLater(currentNode(), createHTMLElement(token), true);
     // FIXME: Do we want to acknowledge the token's self-closing flag?
     // http://www.whatwg.org/specs/web-apps/current-work/multipage/tokenization.html#acknowledge-self-closing-flag
 }
 
 void HTMLConstructionSite::insertFormattingElement(AtomicHTMLToken* token)
 {
@@ skipping 13 matching lines @@
     // those flags or effects thereof.
     const bool parserInserted = m_parserContentPolicy != AllowScriptingContentAndDoNotMarkAlreadyStarted;
     const bool alreadyStarted = m_isParsingFragment && parserInserted;
     RefPtrWillBeRawPtr<HTMLScriptElement> element = HTMLScriptElement::create(ownerDocumentForCurrentNode(), parserInserted, alreadyStarted);
     setAttributes(element.get(), token, m_parserContentPolicy);
     if (scriptingContentIsAllowed(m_parserContentPolicy))
         attachLater(currentNode(), element);
     m_openElements.push(HTMLStackItem::create(element.release(), token));
 }
 
+void HTMLConstructionSite::insertLinkElement(AtomicHTMLToken* token)
+{
+    // We use the same 'alreadyStarted' flag for link elements as we do for script elements. That isn't
+    // in the HTML spec, or in the HTML Imports spec, but we need it for sane behavior in the latter.
+    //
+    // See 'insertScriptElement()' above for detail.
+    const bool parserInserted = m_parserContentPolicy != AllowScriptingContentAndDoNotMarkAlreadyStarted;

[kouhei (in TOK), 2016/02/08 01:30:24]

I'm not sure if we should respect
"AllowScriptingContentAndDoNotMarkAlreadyStarted" here.
However, after some archeology, the only code using the flag is added on the CL:
https://chromium.googlesource.com/chromium/src/+/ea2645777533e3efba4f2ab16f49...
And I don't see a good reason why the code needs to use the flag.
Let me try a CL that removes the flag entirely.

+    const bool alreadyStarted = m_isParsingFragment && parserInserted;
+    RefPtrWillBeRawPtr<HTMLLinkElement> element = HTMLLinkElement::create(ownerDocumentForCurrentNode(), parserInserted, alreadyStarted);
+    setAttributes(element.get(), token, m_parserContentPolicy);
+    attachLater(currentNode(), element, true);
+}
+
 void HTMLConstructionSite::insertForeignElement(AtomicHTMLToken* token, const AtomicString& namespaceURI)
 {
     ASSERT(token->type() == HTMLToken::StartTag);
     notImplemented(); // parseError when xmlns or xmlns:xlink are wrong.
 
     RefPtrWillBeRawPtr<Element> element = createElement(token, namespaceURI);
     if (scriptingContentIsAllowed(m_parserContentPolicy) || !toScriptLoaderIfPossible(element.get()))
         attachLater(currentNode(), element, token->selfClosing());
     if (!token->selfClosing())
         m_openElements.push(HTMLStackItem::create(element.release(), token, namespaceURI));
@@ skipping 199 matching lines @@
     queueTask(task);
 }
 
 DEFINE_TRACE(HTMLConstructionSite::PendingText)
 {
     visitor->trace(parent);
     visitor->trace(nextChild);
 }
 
 } // namespace blink