272678 2024-04-15 07:44:09 -0700 Handling stale index value in Element setAttribute() API due to the call of getTrustedTypesCompliantAttributeValue() 2024-05-16 06:05:46 -0700 1 1 1 Unclassified WebKit DOM Safari 17 Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 266630 271823 1 zsun webkit-unassigned ashvayka lwarlow mark.lam webkit-bug-importer ysuzuki zsun oldest_to_newest 2028524 0 zsun 2024-04-15 07:44:09 -0700 With the change at https://github.com/WebKit/WebKit/pull/26519, it calls getTrustedTypesCompliantAttributeValue in Element setAttribute() API. The getTrustedTypesCompliantAttributeValue can result in JS execution which may mutate the attributes of the element and make the index value used in this function stale. 2028527 1 470925 zsun 2024-04-15 07:47:28 -0700 Created attachment 470925 bug.html The attached test file should result in the "srcdoc" being the string "alert(1)". It results in onmouseover="alert(1)" instead. 2030212 2 webkit-bug-importer 2024-04-22 08:53:38 -0700 <rdar://problem/126863617> 2035768 3 zsun 2024-05-16 06:05:46 -0700 This has been addressed at https://github.com/WebKit/WebKit/pull/26519 470925 2024-04-15 07:47:28 -0700 2024-04-15 07:47:28 -0700 bug.html bug.html text/html 424 zsun PG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1TZWN1cml0eS1Qb2xpY3kiIGNvbnRlbnQ9InJlcXVp cmUtdHJ1c3RlZC10eXBlcy1mb3IgJ3NjcmlwdCc7IHRydXN0ZWQtdHlwZXMgZGVmYXVsdDsiPgo8 Ym9keT4KPGlmcmFtZSBpZD0iaWZyYW1lIiBkYXRhLXg9IiIgc3JjZG9jPSJjb250ZW50IiBvbm1v dXNlb3Zlcj0iIj48L2lmcmFtZT4KPHNjcmlwdD4KICAgIHRydXN0ZWRUeXBlcy5jcmVhdGVQb2xp Y3koJ2RlZmF1bHQnLCB7CiAgICAgICAgY3JlYXRlSFRNTDogKHMpID0+IHsKICAgICAgICAgICAg aWZyYW1lLnJlbW92ZUF0dHJpYnV0ZSgnZGF0YS14Jyk7CiAgICAgICAgICAgIHJldHVybiBzOwog ICAgICAgIH0KICAgIH0pOwogICAgaWZyYW1lLnNldEF0dHJpYnV0ZSgnc3JjZG9jJywgImFsZXJ0 KDEpIik7Cjwvc2NyaXB0Pgo8L2JvZHk+Cg==