30982 2009-10-31 14:23:51 -0700 createHTMLDocument doesn't escape ampersand and less-than in title 2009-11-01 12:05:30 -0800 1 1 1 Unclassified WebKit DOM 528+ (Nightly build) PC All RESOLVED FIXED P2 Normal --- 1 nanto ap oldest_to_newest 159579 0 nanto 2009-10-31 14:23:51 -0700 |document.implementation.createHTMLDocument(title)| wrongly parses the value of the title parameter as a part of HTML source, violating both old DOM2 HTML CR [1] and HTML5 [2]. [1] http://www.w3.org/TR/2002/CR-DOM-Level-2-HTML-20020605/html.html#HTML-DOM-createHTMLDocument [2] http://www.whatwg.org/specs/web-apps/current-work/multipage/dom.html#dom-domhtmlimplementation-createhtmldocument Steps to reproduce: Execute the following JavaScript code: javascript:alert(document.implementation.createHTMLDocument('foo</title>').title); Expected result: foo</title> Actual result: foo Confirmed on WebKit-r50095. 159615 1 42269 ap 2009-10-31 21:43:56 -0700 Created attachment 42269 proposed fix 159646 2 ap 2009-11-01 12:05:30 -0800 Committed <http://trac.webkit.org/changeset/50389>. 42269 2009-10-31 21:43:56 -0700 2009-11-01 06:04:21 -0800 proposed fix createHTMLDocument.txt text/plain 3654 ap SW5kZXg6IFdlYkNvcmUvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvQ2hhbmdlTG9n CShyZXZpc2lvbiA1MDM4MykKKysrIFdlYkNvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBA IC0xLDMgKzEsMTUgQEAKKzIwMDktMTAtMzEgIEFsZXhleSBQcm9za3VyeWFrb3YgIDxhcEBhcHBs ZS5jb20+CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAg aHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTMwOTgyCisgICAgICAgIGNy ZWF0ZUhUTUxEb2N1bWVudCBkb2Vzbid0IGVzY2FwZSBhbXBlcnNhbmQgYW5kIGxlc3MtdGhhbiBp biB0aXRsZQorCisgICAgICAgIFRlc3Q6IGZhc3QvZG9tL0RPTUltcGxlbWVudGF0aW9uL2NyZWF0 ZUhUTUxEb2N1bWVudC10aXRsZS5odG1sCisKKyAgICAgICAgKiBkb20vRE9NSW1wbGVtZW50YXRp b24uY3BwOiAoV2ViQ29yZTo6RE9NSW1wbGVtZW50YXRpb246OmNyZWF0ZUhUTUxEb2N1bWVudCk6 CisgICAgICAgIFNldCBkb2N1bWVudCB0aXRsZSBhZnRlciBjcmVhdGluZyB0aGUgZG9jdW1lbnQs IGF2b2lkaW5nIHBhcnNlciBpbnRyaWNhY2llcy4KKwogMjAwOS0xMC0zMSAgT2xpdmVyIEh1bnQg IDxvbGl2ZXJAYXBwbGUuY29tPgogCiAgICAgICAgIEJ1aWxkIGZpeApJbmRleDogV2ViQ29yZS9k b20vRE9NSW1wbGVtZW50YXRpb24uY3BwCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvZG9tL0RPTUlt cGxlbWVudGF0aW9uLmNwcAkocmV2aXNpb24gNTAzODApCisrKyBXZWJDb3JlL2RvbS9ET01JbXBs ZW1lbnRhdGlvbi5jcHAJKHdvcmtpbmcgY29weSkKQEAgLTMwNSw3ICszMDUsOCBAQCBQYXNzUmVm UHRyPEhUTUxEb2N1bWVudD4gRE9NSW1wbGVtZW50YXRpCiB7CiAgICAgUmVmUHRyPEhUTUxEb2N1 bWVudD4gZCA9IEhUTUxEb2N1bWVudDo6Y3JlYXRlKDApOwogICAgIGQtPm9wZW4oKTsKLSAgICBk LT53cml0ZSgiPCFkb2N0eXBlIGh0bWw+PGh0bWw+PGhlYWQ+PHRpdGxlPiIgKyB0aXRsZSArICI8 L3RpdGxlPjwvaGVhZD48Ym9keT48L2JvZHk+PC9odG1sPiIpOworICAgIGQtPndyaXRlKCI8IWRv Y3R5cGUgaHRtbD48aHRtbD48Ym9keT48L2JvZHk+PC9odG1sPiIpOworICAgIGQtPnNldFRpdGxl KHRpdGxlKTsKICAgICByZXR1cm4gZC5yZWxlYXNlKCk7CiB9CiAKSW5kZXg6IExheW91dFRlc3Rz L0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09Ci0tLSBMYXlvdXRUZXN0cy9DaGFuZ2VMb2cJKHJldmlzaW9u IDUwMzgzKQorKysgTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMg KzEsMTMgQEAKKzIwMDktMTAtMzEgIEFsZXhleSBQcm9za3VyeWFrb3YgIDxhcEBhcHBsZS5jb20+ CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgaHR0cHM6 Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTMwOTgyCisgICAgICAgIGNyZWF0ZUhU TUxEb2N1bWVudCBkb2Vzbid0IGVzY2FwZSBhbXBlcnNhbmQgYW5kIGxlc3MtdGhhbiBpbiB0aXRs ZQorCisgICAgICAgICogZmFzdC9kb20vRE9NSW1wbGVtZW50YXRpb24vY3JlYXRlSFRNTERvY3Vt ZW50LXRpdGxlLWV4cGVjdGVkLnR4dDogQWRkZWQuCisgICAgICAgICogZmFzdC9kb20vRE9NSW1w bGVtZW50YXRpb24vY3JlYXRlSFRNTERvY3VtZW50LXRpdGxlLmh0bWw6IEFkZGVkLgorCiAyMDA5 LTEwLTMxICBPbGl2ZXIgSHVudCAgPG9saXZlckBhcHBsZS5jb20+CiAKICAgICAgICAgUmV2aWV3 ZWQgYnkgSm9uIEhvbmV5Y3V0dC4KSW5kZXg6IExheW91dFRlc3RzL2Zhc3QvZG9tL0RPTUltcGxl bWVudGF0aW9uL2NyZWF0ZUhUTUxEb2N1bWVudC10aXRsZS1leHBlY3RlZC50eHQKPT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PQotLS0gTGF5b3V0VGVzdHMvZmFzdC9kb20vRE9NSW1wbGVtZW50YXRpb24vY3JlYXRlSFRNTERv Y3VtZW50LXRpdGxlLWV4cGVjdGVkLnR4dAkocmV2aXNpb24gMCkKKysrIExheW91dFRlc3RzL2Zh c3QvZG9tL0RPTUltcGxlbWVudGF0aW9uL2NyZWF0ZUhUTUxEb2N1bWVudC10aXRsZS1leHBlY3Rl ZC50eHQJKHJldmlzaW9uIDApCkBAIC0wLDAgKzEsNSBAQAorVGVzdCBmb3IgYSBidWcgMzA5ODI6 IGNyZWF0ZUhUTUxEb2N1bWVudCBkb2Vzbid0IGVzY2FwZSBhbXBlcnNhbmQgYW5kIGxlc3MtdGhh biBpbiB0aXRsZS4KKworU2hvdWxkIHNheSBQQVNTOgorCitQQVNTCgpQcm9wZXJ0eSBjaGFuZ2Vz IG9uOiBMYXlvdXRUZXN0cy9mYXN0L2RvbS9ET01JbXBsZW1lbnRhdGlvbi9jcmVhdGVIVE1MRG9j dW1lbnQtdGl0bGUtZXhwZWN0ZWQudHh0Cl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KTmFtZTogc3ZuOm1pbWUtdHlwZQog ICArIHRleHQvcGxhaW4KTmFtZTogc3ZuOmVvbC1zdHlsZQogICArIG5hdGl2ZQoKSW5kZXg6IExh eW91dFRlc3RzL2Zhc3QvZG9tL0RPTUltcGxlbWVudGF0aW9uL2NyZWF0ZUhUTUxEb2N1bWVudC10 aXRsZS5odG1sCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT0KLS0tIExheW91dFRlc3RzL2Zhc3QvZG9tL0RPTUltcGxlbWVu dGF0aW9uL2NyZWF0ZUhUTUxEb2N1bWVudC10aXRsZS5odG1sCShyZXZpc2lvbiAwKQorKysgTGF5 b3V0VGVzdHMvZmFzdC9kb20vRE9NSW1wbGVtZW50YXRpb24vY3JlYXRlSFRNTERvY3VtZW50LXRp dGxlLmh0bWwJKHJldmlzaW9uIDApCkBAIC0wLDAgKzEsOSBAQAorPHA+VGVzdCBmb3IgYSA8aHJl Zj0iaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTMwOTgyIj5idWcgMzA5 ODI8L2E+OiBjcmVhdGVIVE1MRG9jdW1lbnQgZG9lc24ndCBlc2NhcGUgYW1wZXJzYW5kIGFuZCBs ZXNzLXRoYW4gaW4gdGl0bGUuPC9wPgorPHA+U2hvdWxkIHNheSBQQVNTOjwvcD4KKzxzY3JpcHQ+ CitpZiAod2luZG93LmxheW91dFRlc3RDb250cm9sbGVyKQorICAgIGxheW91dFRlc3RDb250cm9s bGVyLmR1bXBBc1RleHQoKTsKKwordmFyIHJlc3VsdCA9IGRvY3VtZW50LmltcGxlbWVudGF0aW9u LmNyZWF0ZUhUTUxEb2N1bWVudCgnZm9vPC90aXRsZT4nKS50aXRsZTsKK2RvY3VtZW50LndyaXRl KChyZXN1bHQgPT0gJ2ZvbzwvdGl0bGU+JykgPyAiUEFTUyIgOiAoIkZBSUwuIFRpdGxlIGlzOjx4 bXA+IiArIHJlc3VsdCArICI8L3htcD4iKSk7Cis8L3NjcmlwdD4KClByb3BlcnR5IGNoYW5nZXMg b246IExheW91dFRlc3RzL2Zhc3QvZG9tL0RPTUltcGxlbWVudGF0aW9uL2NyZWF0ZUhUTUxEb2N1 bWVudC10aXRsZS5odG1sCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX18KTmFtZTogc3ZuOm1pbWUtdHlwZQogICArIHRleHQv aHRtbAoK