12744 2007-02-12 09:39:38 -0800 innerHTML in PRE not properly escaped 2014-04-24 16:44:51 -0700 1 1 1 Unclassified WebKit JavaScriptCore 312.x All All RESOLVED DUPLICATE 12735 P2 Normal --- 0 msamuel webkit-unassigned mjs oldest_to_newest 24070 0 msamuel 2007-02-12 09:39:38 -0800 The attached html page demonstrates what I think is a bug in Safari. I have only tested with Safari 2.0.4, not the latest version of Webkit. Firefox and IE both treat the innerHTML of a <PRE> tag as regular html, but Safari seems to group it with style, script, and other tags that contain CDATA in some cases. Strangely, Firefox and IE treat XMP and PLAINTEXT elements' content as CDATA but Safari does not. The XMP, LISTING, and PLAINTEXT tags are deprecated, but the PRE tag is not, and its content should not be treated as CDATA. If it is, then the following naive code: document.writeln(myPreTag.innerHTML); could cause arbitrary script to execute by injecting an onmouseover handler. Actual Behavior: The right column of row 6 of the attached page renders as <!DOCTYPE foo PUBLIC "foo"> <foo /> Expected Behavior: It should render as <DOCTYPE foo PUBLIC "foo"> <foo /> though escape other characters, such as the double quotes, would be acceptable too. 24071 1 ddkilzer 2007-02-12 09:42:44 -0800 Sounds like a duplicate of Bug 12735. 24072 2 13134 msamuel 2007-02-12 09:43:18 -0800 Created attachment 13134 html testcase that demonstrates the behavior of innerHTML with various types of elements and text content. Requires javascript. See row 6. 24000 3 darin 2007-02-12 11:45:49 -0800 *** This bug has been marked as a duplicate of 12735 *** 1003831 4 darin 2014-04-24 16:44:51 -0700 Moving all JavaScriptGlue bugs to JavaScriptCore. The JavaScriptGlue framework itself is long gone. And most of the more recent bugs put in this component were put there by people who thought this was for some other aspect of “JavaScript glue” and have nothing to do with the actual original reason for the existence of this component, which was an OS-X-only framework named JavaScriptGlue. 13134 2007-02-12 09:43:18 -0800 2007-02-12 09:43:18 -0800 html testcase that demonstrates the behavior of innerHTML with various types of elements and text content. inner_html_test.html text/html 2122 msamuel PGh0bWw+CjxoZWFkPgo8dGl0bGU+V2hlbiBpcyBpbm5lciBodG1sIHJhdz88L3RpdGxlPgo8L2hl YWQ+Cjxib2R5Pgo8cD5UaGlzIHBhZ2UgdGVzdHMgZm9yIHdoaWNoIHRhZ3MnIGlubmVySFRNTCBp cyB0cmVhdGVkIGFzIHJhdyBjb250ZW50LjwvcD4KPHRhYmxlIGJvcmRlcj0xPgo8dHI+Cjx0aD5v dXRlckhUTUw8L3RoPgo8dGg+aW5uZXJIVE1MPC90aD4KPHRyPgo8dGQ+PGNvZGUgaWQ9bzE+Jmx0 O2RpdiZndDsoMSA8IDIpICYgMyZsdDsvZGl2Jmd0OzwvY29kZT4KPHRkIGlkPWkxPgo8dHI+Cjx0 ZD48Y29kZSBpZD1vMj4mbHQ7ZGl2Jmd0OygxICZhbXA7bHQ7IDIpICZhbXA7YW1wOyAzJmx0Oy9k aXYmZ3Q7PC9jb2RlPgo8dGQgaWQ9aTI+Cjx0cj4KPHRkPjxjb2RlIGlkPW8zPiZsdDtwcmUmZ3Q7 KDEgPCAyKSAmIDMmbHQ7L3ByZSZndDs8L2NvZGU+Cjx0ZCBpZD1pMz4KPHRyPgo8dGQ+PGNvZGUg aWQ9bzQ+Jmx0O3ByZSZndDsoMSAmYW1wO2x0OyAyKSAmYW1wO2FtcDsgMyZsdDsvcHJlJmd0Ozwv Y29kZT4KPHRkIGlkPWk0Pgo8dHI+Cjx0ZD48Y29kZSBpZD1vNT4mbHQ7ZGl2Jmd0OyZhbXA7bHQ7 IURPQ1RZUEUgZm9vIFBVQkxJQyAiZm9vIiZhbXA7Z3Q7CiZhbXA7bHQ7Zm9vIC8mYW1wO2d0Owom bHQ7L2RpdiZndDs8L2NvZGU+Cjx0ZCBpZD1pNT4KPHRyPgo8dGQ+PGNvZGUgaWQ9bzY+Jmx0O3By ZSZndDsmYW1wO2x0OyFET0NUWVBFIGZvbyBQVUJMSUMgImZvbyImYW1wO2d0OwomYW1wO2x0O2Zv byAvJmFtcDtndDsKJmx0Oy9wcmUmZ3Q7PC9jb2RlPgo8dGQgaWQ9aTY+Cjx0cj4KPHRkPjxjb2Rl IGlkPW83PiZsdDtzY3JpcHQmZ3Q7KDEgPCAyKSAmIDMmbHQ7L3NjcmlwdCZndDs8L2NvZGU+Cjx0 ZCBpZD1pNz4KPHRyPgo8dGQ+PGNvZGUgaWQ9bzg+Jmx0O3NjcmlwdCZndDsoMSAmYW1wO2x0OyAy KSAmYW1wO2FtcDsgMyZsdDsvc2NyaXB0Jmd0OzwvY29kZT4KPHRkIGlkPWk4Pgo8dHI+Cjx0ZD48 Y29kZSBpZD1vOT4mbHQ7c3R5bGUmZ3Q7KDEgPCAyKSAmIDMmbHQ7L3N0eWxlJmd0OzwvY29kZT4K PHRkIGlkPWk5Pgo8dHI+Cjx0ZD48Y29kZSBpZD1vMTA+Jmx0O3N0eWxlJmd0OygxICZhbXA7bHQ7 IDIpICZhbXA7YW1wOyAzJmx0Oy9zdHlsZSZndDs8L2NvZGU+Cjx0ZCBpZD1pMTA+Cjx0cj4KPHRk Pjxjb2RlIGlkPW8xMT4mbHQ7eG1wJmd0OygxIDwgMikgJiAzJmx0Oy94bXAmZ3Q7PC9jb2RlPgo8 dGQgaWQ9aTExPgo8dHI+Cjx0ZD48Y29kZSBpZD1vMTI+Jmx0O3htcCZndDsoMSAmYW1wO2x0OyAy KSAmYW1wO2FtcDsgMyZsdDsveG1wJmd0OzwvY29kZT4KPHRkIGlkPWkxMj4KPHRyPgo8dGQ+PGNv ZGUgaWQ9bzEzPiZsdDtsaXN0aW5nJmd0OygxIDwgMikgJiAzJmx0Oy9saXN0aW5nJmd0OzwvY29k ZT4KPHRkIGlkPWkxMz4KPHRyPgo8dGQ+PGNvZGUgaWQ9bzE0PiZsdDtsaXN0aW5nJmd0OygxICZh bXA7bHQ7IDIpICZhbXA7YW1wOyAzJmx0Oy9saXN0aW5nJmd0OzwvY29kZT4KPHRkIGlkPWkxND4K PHRyPgo8dGQ+PGNvZGUgaWQ9bzE1PiZsdDtwbGFpbnRleHQmZ3Q7KDEgPCAyKSAmIDMmbHQ7L3Bs YWludGV4dCZndDs8L2NvZGU+Cjx0ZCBpZD1pMTU+Cjx0cj4KPHRkPjxjb2RlIGlkPW8xNj4mbHQ7 cGxhaW50ZXh0Jmd0OygxICZhbXA7bHQ7IDIpICZhbXA7YW1wOyAzJmx0Oy9wbGFpbnRleHQmZ3Q7 PC9jb2RlPgo8dGQgaWQ9aTE2Pgo8L3RhYmxlPgoKPC9ib2R5PgoKPHNjcmlwdCB0eXBlPXRleHQv amF2YXNjcmlwdD4KZm9yICh2YXIgaSA9IDE7IHRydWU7ICsraSkgewogIHZhciBlbCA9IGRvY3Vt ZW50LmdldEVsZW1lbnRCeUlkKCdvJyArIGkpOwogIGlmICghZWwpIHsgYnJlYWs7IH0KICB2YXIg dGV4dCA9IGVsLmZpcnN0Q2hpbGQubm9kZVZhbHVlOwogIHZhciBub2RlID0gZG9jdW1lbnQuY3Jl YXRlRWxlbWVudCgnRElWJyk7CiAgbm9kZS5pbm5lckhUTUwgPSB0ZXh0OwogIHZhciBpbm5lckhU TUwgPSBub2RlLmZpcnN0Q2hpbGQuaW5uZXJIVE1MOwogIGRvY3VtZW50LmdldEVsZW1lbnRCeUlk KCdpJyArIGkpLmlubmVySFRNTCA9ICc8Y29kZT4nICsKICAgICAgaW5uZXJIVE1MLnJlcGxhY2Uo LyYvZywgJyZhbXA7JykucmVwbGFjZSgvPC9nLCAnJmx0OycpICsgJzwvY29kZT4nOwp9Cjwvc2Ny aXB0Pgo8L2h0bWw+Cg==