Summary: | CSS variables (custom properties) bug & a potential crash | ||||||
---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Roman Komarov <kizmarh> | ||||
Component: | CSS | Assignee: | Nobody <webkit-unassigned> | ||||
Status: | NEW --- | ||||||
Severity: | Major | CC: | ahmad.saleem792, ap, bfulgham, emilio, jonlee, justin_michaud, koivisto, rniwa, simon.fraser, twilco.o, webkit-bug-importer, zalan | ||||
Priority: | P2 | Keywords: | InRadar | ||||
Version: | Safari 11 | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Bug Depends on: | 190039 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
Roman Komarov
2018-04-12 09:03:14 PDT
Found the minimal CSS that causes the crash: *{--:var(---,var(--))} Looks like infinite recursion. Not sure if the crash and the bug are closely enough related to track in one issue. Yes, not sure if they related, but seem to be in both cases related to the variable's fallback, but feel free to split into a new one anyway. Any news about this? I find that having a case where 22-characters if CSS cause a crash to be rather dangerous, as it could be possible to use it as an attack, by inserting it somewhere where you have an access to CSS/HTML, and via it basically disabling the browsing experience for anyone using Safari. Also, a question: is it something that would be safe to write about in social networks, so people would know that this is possible and could potentially protect themselves by stripping CSS variables from any user-generated fields, and also as an interesting anecdote about the circularity in CSS? I can't reproduce this in Safari Version 14.0 (15610.1.28.1.9, 15610). I get a lime green background, and no crash from the Codepen nor the minimal CSS you've provided. Can you confirm whether or not this is still an issue? I am not able to reproduce any crash with test case in Safari 15.6.1 and Safari Technology Preview 151 but I don't get "Lime" background but light reddish / pinkish background and it is same as other browsers (Chrome Canary 106 and Firefox Nightly 105). Please mark this bug accordingly. Thanks! |