Teach the background parser to ignore certain elements inside '<select>'.

Teach the background parser to ignore certain elements inside '<select>'.

'HTMLTreeBuilderSimulator' doesn't currently understand that we shouldn't
hop into PLAINTEXTState or RAWTEXTState inside '<select>' elements. This
has the unfortunate side-effect of enabling dangling markup injection
attacks that exfiltrate data via '<select><option><plaintext>' and etc.

This patch ensures that `<select>` behaves as specified, matching Safari,
Firefox, and Edge's behavior.

Thanks to @zcorpan for pointing out Blink's error in the thread ad
https://github.com/whatwg/html/issues/2252.

BUG=680072
Review-Url: https://codereview.chromium.org/2625103002
Cr-Commit-Position: refs/heads/master@{#443573}
(cherry picked from commit 8150200aff6ad60b092fd2ddb7eddcb6d0cc13df)

Review-Url: https://codereview.chromium.org/2630253002 .
Cr-Commit-Position: refs/branch-heads/2924@{#770}
Cr-Branched-From: 3a87aecc31cd1ffe751dd72c04e5a96a1fc8108a-refs/heads/master@{#433059}
Committed: https://chromium.googlesource.com/chromium/src/+/c5fd9d8eda10d0a69c0bb90fd179695f9c403f46

[Mike West, 2017-01-16 08:53:42]

Description was changed from

==========
Teach the background parser to ignore certain elements inside '<select>'.

'HTMLTreeBuilderSimulator' doesn't currently understand that we shouldn't
hop into PLAINTEXTState or RAWTEXTState inside '<select>' elements. This
has the unfortunate side-effect of enabling dangling markup injection
attacks that exfiltrate data via '<select><option><plaintext>' and etc.

This patch ensures that `<select>` behaves as specified, matching Safari,
Firefox, and Edge's behavior.

Thanks to @zcorpan for pointing out Blink's error in the thread ad
https://github.com/whatwg/html/issues/2252.

BUG=680072

Review-Url: https://codereview.chromium.org/2625103002
Cr-Commit-Position: refs/heads/master@{#443573}
(cherry picked from commit 8150200aff6ad60b092fd2ddb7eddcb6d0cc13df)
==========

to

==========
Teach the background parser to ignore certain elements inside '<select>'.

'HTMLTreeBuilderSimulator' doesn't currently understand that we shouldn't
hop into PLAINTEXTState or RAWTEXTState inside '<select>' elements. This
has the unfortunate side-effect of enabling dangling markup injection
attacks that exfiltrate data via '<select><option><plaintext>' and etc.

This patch ensures that `<select>` behaves as specified, matching Safari,
Firefox, and Edge's behavior.

Thanks to @zcorpan for pointing out Blink's error in the thread ad
https://github.com/whatwg/html/issues/2252.

BUG=680072

Review-Url: https://codereview.chromium.org/2625103002
Cr-Commit-Position: refs/heads/master@{#443573}
(cherry picked from commit 8150200aff6ad60b092fd2ddb7eddcb6d0cc13df)

Review-Url: https://codereview.chromium.org/2630253002 .
Cr-Commit-Position: refs/branch-heads/2924@{#770}
Cr-Branched-From:
3a87aecc31cd1ffe751dd72c04e5a96a1fc8108a-refs/heads/master@{#433059}
Committed:
https://chromium.googlesource.com/chromium/src/+/c5fd9d8eda10d0a69c0bb90fd179...
==========

[Mike West, 2017-01-16 08:53:44]

Committed patchset #1 (id:1) manually as
c5fd9d8eda10d0a69c0bb90fd179695f9c403f46.