Bug 12744

Summary: innerHTML in PRE not properly escaped
Product: WebKit Reporter: Mike Samuel <msamuel>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: mjs
Priority: P2    
Version: 312.x   
Hardware: All   
OS: All   
Attachments:
Description Flags
html testcase that demonstrates the behavior of innerHTML with various types of elements and text content. none

Mike Samuel
Reported 2007-02-12 09:39:38 PST
The attached html page demonstrates what I think is a bug in Safari. I have only tested with Safari 2.0.4, not the latest version of Webkit. Firefox and IE both treat the innerHTML of a <PRE> tag as regular html, but Safari seems to group it with style, script, and other tags that contain CDATA in some cases. Strangely, Firefox and IE treat XMP and PLAINTEXT elements' content as CDATA but Safari does not. The XMP, LISTING, and PLAINTEXT tags are deprecated, but the PRE tag is not, and its content should not be treated as CDATA. If it is, then the following naive code: document.writeln(myPreTag.innerHTML); could cause arbitrary script to execute by injecting an onmouseover handler. Actual Behavior: The right column of row 6 of the attached page renders as <!DOCTYPE foo PUBLIC "foo"> <foo /> Expected Behavior: It should render as &lt;DOCTYPE foo PUBLIC "foo"&gt; &lt;foo /&gt; though escape other characters, such as the double quotes, would be acceptable too.
Attachments
html testcase that demonstrates the behavior of innerHTML with various types of elements and text content. (2.07 KB, text/html)
2007-02-12 09:43 PST, Mike Samuel 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
David Kilzer (:ddkilzer)
Comment 1 2007-02-12 09:42:44 PST
Sounds like a duplicate of Bug 12735.
Mike Samuel
Comment 2 2007-02-12 09:43:18 PST
Created attachment 13134 [details] html testcase that demonstrates the behavior of innerHTML with various types of elements and text content. Requires javascript. See row 6.
Darin Adler
Comment 3 2007-02-12 11:45:49 PST
*** This bug has been marked as a duplicate of 12735 ***
Darin Adler
Comment 4 2014-04-24 16:44:51 PDT
Moving all JavaScriptGlue bugs to JavaScriptCore. The JavaScriptGlue framework itself is long gone. And most of the more recent bugs put in this component were put there by people who thought this was for some other aspect of “JavaScript glue” and have nothing to do with the actual original reason for the existence of this component, which was an OS-X-only framework named JavaScriptGlue.
Note You need to log in before you can comment on or make changes to this bug.