Chromium Code Reviews
Help | Chromium Project | Gerrit Changes | Sign in
(11)

Issue 2630253002: Teach the background parser to ignore certain elements inside '<select>'. (Closed)

Created:
2 years, 2 months ago by Mike West
Modified:
2 years, 2 months ago
Reviewers:
CC:
chromium-reviews
Target Ref:
refs/pending/branch-heads/2924
Project:
chromium
Visibility:
Public.

Description

Teach the background parser to ignore certain elements inside '<select>'. 'HTMLTreeBuilderSimulator' doesn't currently understand that we shouldn't hop into PLAINTEXTState or RAWTEXTState inside '<select>' elements. This has the unfortunate side-effect of enabling dangling markup injection attacks that exfiltrate data via '<select><option><plaintext>' and etc. This patch ensures that `<select>` behaves as specified, matching Safari, Firefox, and Edge's behavior. Thanks to @zcorpan for pointing out Blink's error in the thread ad https://github.com/whatwg/html/issues/2252. BUG=680072 Review-Url: https://codereview.chromium.org/2625103002 Cr-Commit-Position: refs/heads/master@{#443573} (cherry picked from commit 8150200aff6ad60b092fd2ddb7eddcb6d0cc13df) Review-Url: https://codereview.chromium.org/2630253002 . Cr-Commit-Position: refs/branch-heads/2924@{#770} Cr-Branched-From: 3a87aecc31cd1ffe751dd72c04e5a96a1fc8108a-refs/heads/master@{#433059} Committed: https://chromium.googlesource.com/chromium/src/+/c5fd9d8eda10d0a69c0bb90fd179695f9c403f46

Patch Set 1 #

Unified diffs Side-by-side diffs Delta from patch set Stats (+149 lines, -13 lines) Patch
A third_party/WebKit/LayoutTests/fast/parser/inselect-tokenization.html View 1 chunk +106 lines, -0 lines 0 comments Download
M third_party/WebKit/Source/core/html/parser/HTMLTreeBuilderSimulator.h View 1 chunk +1 line, -0 lines 0 comments Download
M third_party/WebKit/Source/core/html/parser/HTMLTreeBuilderSimulator.cpp View 3 chunks +42 lines, -13 lines 0 comments Download

Messages

Total messages: 2 (1 generated)
Mike West
2 years, 2 months ago (2017-01-16 08:53:44 UTC) #2
Message was sent while issue was closed.
Committed patchset #1 (id:1) manually as
c5fd9d8eda10d0a69c0bb90fd179695f9c403f46.

Powered by Google App Engine
This is Rietveld 408576698