Summary: | script elements created by the transformToFragment method of XSLTProcessor are not executed on insertion into DOM tree | ||
---|---|---|---|
Product: | WebKit | Reporter: | Martin Honnen <martin.honnen> |
Component: | XML | Assignee: | Nobody <webkit-unassigned> |
Status: | NEW --- | ||
Severity: | Normal | CC: | ap, cdumez, ews-watchlist, rniwa |
Priority: | P2 | ||
Version: | Safari Technology Preview | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Attachments: |
Description
Martin Honnen
2019-07-09 01:09:47 PDT
Would you be willing to try submitting a patch anyway, as it will be processed and tests will run automatically? It will certainly be more annoying than with a local build, but it's doable. (In reply to Alexey Proskuryakov from comment #1) > Would you be willing to try submitting a patch anyway, as it will be > processed and tests will run automatically? It will certainly be more > annoying than with a local build, but it's doable. Does it suffice to clone the WebKit git repository, branch, edit the one file, commit locally and attach a git diff here? Or would I need to use the WebKit tools like described in https://webkit.org/contributing-code/#create-the-patch (e.g. Tools/Scripts/webkit-patch upload)? I am currently not sure what kind of setup those tools rely on, the list in https://webkit.org/webkit-on-windows/#installing-developer-tools seems rather long with all the particular Perl, Ruby, Python etc installs needed. > Does it suffice to clone the WebKit git repository, branch, edit the one file, commit locally and attach a git diff here?
Pretty much.
webkit-patch is not necessary, I personally never use it. A ChangeLog is needed though, and the prepare-ChangeLog script helps by adding a template to the top. But you can also make a similar looking entry manually.
The only concern that I have about this change - and will defer to others to answer - is whether it opens any new possibilities for script execution at inopportune time. It *seems* like it's OK, but the consequences of untimely script execution are so bad that someone better be sure. Created attachment 373949 [details]
fixing WebCore::createFragmentForTransformToFragment to use AllowScriptingContentAndDoNotMarkAlreadyStarted in parseHTML and parseXML calls
I have tried my best to create a changelog entry manually but I not sure whether I am supposed to link to external test cases (i.e. the ones I mentioned in the bug report) and where that "rdar" link is created from, so I have left these two issues out of the change log entry for the time being.
Attachment 373949 [details] did not pass style-queue:
ERROR: Source/WebCore/ChangeLog:4: Line contains tab character. [whitespace/tab] [5]
ERROR: Source/WebCore/ChangeLog:6: Line contains tab character. [whitespace/tab] [5]
ERROR: Source/WebCore/ChangeLog:7: Line contains tab character. [whitespace/tab] [5]
ERROR: Source/WebCore/ChangeLog:8: Line contains tab character. [whitespace/tab] [5]
ERROR: Source/WebCore/ChangeLog:9: Line contains tab character. [whitespace/tab] [5]
ERROR: Source/WebCore/ChangeLog:10: Line contains tab character. [whitespace/tab] [5]
ERROR: Source/WebCore/ChangeLog:12: Line contains tab character. [whitespace/tab] [5]
Total errors found: 7 in 2 files
If any of these errors are false positives, please file a bug against check-webkit-style.
Comment on attachment 373949 [details]
fixing WebCore::createFragmentForTransformToFragment to use AllowScriptingContentAndDoNotMarkAlreadyStarted in parseHTML and parseXML calls
Trying to fix the tab issues raised by style bot on the ChangeLog entry.
Created attachment 374000 [details]
script elements created by the transformToFragment method of XSLTProcessor are not executed on insertion into DOM tree
Trying to fix issues with tab characters raised by style bot.
Comment on attachment 374000 [details]
script elements created by the transformToFragment method of XSLTProcessor are not executed on insertion into DOM tree
It seems like this would be a pretty serious XSS risk for any website or apps embedding WKWebView / UIWebView relying on the existing to not execute scripts.
|