Bug 12744

Summary:

innerHTML in PRE not properly escaped

Product:

WebKit

Reporter:

Mike Samuel <msamuel>

Component:

JavaScriptCore

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED DUPLICATE

Severity:

Normal

CC:

mjs

Priority:

Version:

312.x

Hardware:

All

OS:

All

Attachments:

Description	Flags
html testcase that demonstrates the behavior of innerHTML with various types of elements and text content.	none

Mike Samuel

Reported 2007-02-12 09:39:38 PST

The attached html page demonstrates what I think is a bug in Safari. I have only tested with Safari 2.0.4, not the latest version of Webkit. Firefox and IE both treat the innerHTML of a <PRE> tag as regular html, but Safari seems to group it with style, script, and other tags that contain CDATA in some cases. Strangely, Firefox and IE treat XMP and PLAINTEXT elements' content as CDATA but Safari does not. The XMP, LISTING, and PLAINTEXT tags are deprecated, but the PRE tag is not, and its content should not be treated as CDATA. If it is, then the following naive code: document.writeln(myPreTag.innerHTML); could cause arbitrary script to execute by injecting an onmouseover handler. Actual Behavior: The right column of row 6 of the attached page renders as <!DOCTYPE foo PUBLIC "foo"> <foo /> Expected Behavior: It should render as <DOCTYPE foo PUBLIC "foo"> <foo /> though escape other characters, such as the double quotes, would be acceptable too.

Attachments
html testcase that demonstrates the behavior of innerHTML with various types of elements and text content. (2.07 KB, text/html) 2007-02-12 09:43 PST, Mike Samuel	no flags	Details
View All Add attachment proposed patch, testcase, etc.

David Kilzer (:ddkilzer)

Comment 1 2007-02-12 09:42:44 PST

Sounds like a duplicate of Bug 12735.

Mike Samuel

Comment 2 2007-02-12 09:43:18 PST

Created attachment 13134 [details] html testcase that demonstrates the behavior of innerHTML with various types of elements and text content. Requires javascript. See row 6.

Darin Adler

Comment 3 2007-02-12 11:45:49 PST

*** This bug has been marked as a duplicate of 12735 ***

Darin Adler

Comment 4 2014-04-24 16:44:51 PDT

Moving all JavaScriptGlue bugs to JavaScriptCore. The JavaScriptGlue framework itself is long gone. And most of the more recent bugs put in this component were put there by people who thought this was for some other aspect of “JavaScript glue” and have nothing to do with the actual original reason for the existence of this component, which was an OS-X-only framework named JavaScriptGlue.

Note You need to log in before you can comment on or make changes to this bug.